"123456" is the most popular password, CEO's resignation is still increasing users etc. Adultery SNS "Ashley Madison" overflowing information leakage Total summary

An affair matching site that registered information such as e-mail address, credit card number, sexual preference leaked "Ashley Madison(Ashley Madison) 's data leakage incident continues to spread various ripples even though it is about to be about a month after the incident occurred.

Top 100 list shows Ashley Madison passwords are just as as weak as all the rest | Ars Technica
http://arstechnica.com/security/2015/09/new-stats-show-ashley-madison-passwords-are-just-as-weak-as-all-the-rest/

◆ Popular password
Every time a password leakage problem develops, the fact that a tremendously simple password is used is revealed, but history seems to be repeated in Ashley Madison incident. When researchers surveyed more than 11 million accounts cracked in Ashley Madison case and arrange passwords in descending order of use frequency, the popular password top 100 became such a feeling.


The immovable No. 1 which received overwhelming support from users of about 1% is "123456". "Top 100 commonly used passwords leaked from AdobeEven becoming the top, such as "Password 1 should not be used"123456" known as the result of showing a sense of stability.


The second place and so on are followed by "12345" "pasword" "DEFAULT" "123456789" "qwerty" "12345678" "abc 123".


In addition, obscene terms like SNS seems to be popular.


It was said that only 4.6 million cases were set for 11.7 million cases, which set a relatively strong password combining random character strings or numbers without specific meanings, and more than half of users are likely to be cracked It is clear that you had set a password.

◆ How did you crack?
By the way, ashley · Madison user password which leaked by hacking this time is "Bcrypt"Since it was strongly hashed with the algorithm" It was thought that it was difficult to decipher at first. However, a way to effectively crack the bcrypt hash of the password has been revealed.

CynoSure Prime: How we cracked millions of Ashley Madison bcrypt hashes efficiently
http://cynosureprime.blogspot.jp/2015/09/how-we-cracked-millions-of-ashley.html

CynoSure PrimeA password crack group called attention to Ashley Madison 's password mechanism that the variable "$ loginkey" starting with "$" is used. This $ loginkey is presumed to be a function to generate a token (one-time password) that is used so that users can log in automatically when changing passwords, registered mail addresses, etc. CynoSure Prime assumes $ loginkey is "MD5It was found hashed with a relatively crash-prone hash function, and cracking this $ loginkey instead of cracking a strong bcrypt hash of the password body effectively decrypted the password .

◆ Fraud acts rampant
Information leaked in Ashley Madison Includes credit card information as well as user name and password. And above all, due to the nature of the service, the fact that the fact of user registration and payment record itself is very sensitive information, it goes without saying that the user who leaked the information emerged.

However, the first thing that came up against such a situation was a fraudster who was neither registered user nor a registered user, except for Ashley Madison's operating company Avid Life Media based in Canada.

Security company Symantec research, Spam activity related to this data leakage has increased sharply since August 18, 2015 when it became clear that user information leaked from Ashley Madison.


Many of the thousands of spam emails blocked by Symantec on August 19, 2015, said that domains related to Ashley Madison were lined up in the destination field and the sender field.


The subject of the blocked mail is "How to check if your email is part of Ashley Madison's hack (How to check if Ashley · Madison's hacking includes your mail)", "How to Check if You Were Exposed in Ashley Madison Hack (How to check if information leaked with Ashley Madison's hacking) "," Ashley Madison hacked, is your spouse cheating (Ashley Madison's hack: Are your spouse OK? It seems that they are lining up.

The e-mail address collection site of a phrase such as "It is possible to judge whether or not information leakage was encountered merely by entering an e-mail address" also increased sharply. Of course, many sites are considered to be fraudulent sites for collecting mails. Because the owner of the entered email address is a high probability user of Ashley · Madison, it is a "prey of prey" that confesses uneasy feeling and despicable feelings to fraudsters.

To those who actually leaked information "In return for not disclosing the information to the spouseBit coinSend a threatening email saying "Please remit with"reportIt is being done.

◆ Actual condition of Ashley · Madison
Ashley Madison who told the world that it grew to be one of the world's largest sweetheart search sites with a catch phrase that has the impact "Let's take an affair once." It was said that there are many female users all over the world .


But,US GizmodoAccording to the information leaked due to hacking damage, there were about 31 million men and about 5.5 million women, but most female users are using mail accounts automatically generated by bots, local · It is a fictitious account (so-called cherry) that is strongly suspected to be created by Avid Life Media, because it uses an IP address with a loopback address. In addition, it is reported that the number of men who checked the message was over 20 million people, while that of women was only 1492, too lonely figures.


In response to the indication that women were mostly cherry, Avid Life Media is a misunderstanding that occurred because of misinterpretation of the meaning of field information of leakage data, and the calculation method and numerical values ​​are incorrect 2015 The ratio of male users who charged for communication with women in the first half and active (free) female users is 1.2: 1Refutationdoing.

◆ popular popularity
On 24 August 2015, Toronto City Police Authority in Canada,In connection with Ashley Madison Information Spill Incident, there are at least two deaths due to suicide announcedDid. The Toronto municipal police Bryce Evans police said that a secondary crime such as fraud committing extortion and data deletion to Ashley Madison users was born, "No one can erase information anymore" I said.

Avid Life Media announced on 28th August 2015 that while disputing with user information leakage, female cherry problems, user's suicide, etc.Noel Bidermann announced he resigned. "Mr. Biderman's resignation is the greatest benefit to the company," he says that CEO's descent can continue to support users and employees.


The affair SNS Ashley · Madison that became a big problem so far, but the service is still continuing now, On August 31, 2015, Avid Life Media, 80,7596 new in only one week at the end of August 2015 When a female member joins, it has announced that the number of users is increasing even after the incident has been discovered.