Skip navigation

Tag Archives: passwords

Earlier today, the full dump of Ashley Madison has finally leaked on an .onion (Tor) website. A more complete analysis will follow in the next days. Also check out the write up on part 2 of the leak.

TL;DR :

  • The leaked files seem totally legit
  • 33 million accounts and user personal information have leaked
  • 36 million email addresses have leaked (you might get some spam…)
  • Accounts’ passwords were stored in a secure way and while they won’t be cracked as a whole, someone targeting you might crack your password. Change it.
  • The dump was made on 11/07/15 (July). If you registered your account after this date, you are mostly safe. If you registered before, your personal information are at risk and I advise you to take measures to protect yourself from identity/credit card theft.

 

Leak content

The leak contains the following files :

am_tree

Those compressed files weight ~ 10GB (and about 35GB uncompressed).

README

The readme file contains the following text:

  _______ _____ __  __ ______ _       _    _ _____  _ 
 |__   __|_   _|  \/  |  ____( )     | |  | |  __ \| |
    | |    | | | \  / | |__  |/ ___  | |  | | |__) | |
    | |    | | | |\/| |  __|   / __| | |  | |  ___/| |
    | |   _| |_| |  | | |____  \__ \ | |__| | |    |_|
    |_|  |_____|_|  |_|______| |___/  \____/|_|    (_)

Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.

Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.

Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.

Any data not signed with key 6E50 3F39 BA6A EAAD D81D ECFF 2437 3CD5 74AB AA38 is fake.

74ABAA38.txt

This file contains the GPG public key that can be used to check that all the files were created by the author and *not* modified by some third party. They are all legit in this case.

CreditCardTransactions.7z

This archive contains *all* the credit card transactions from the past 7 years! (The first csv file dates back to March 2008). All those csv files contains the names, street address, amount paid and email address of everyone who paid something on AshleyMadison. Those ~2600 files represent more than 9.600.000 transactions !

am_am.dump

Here comes the interesting part. This file contains 32 million user data: first/last names, street address, phone numbers, relationship status, what they are looking for, if they drink, smoke, their security question, date of birth, nickname, etc…

ashleymadisondump.7z

This archive mostly contains administrative documents about AM internals some of them were published a few days after the breach was announced.

aminno_member.dump

I don’t know where does this database dump come from, but it also contains some personal data.

aminno_member_email.dump

About 36 million email addresses. (Gonna make some stats on them in a second time)

member_details.dump

Physical description: eyes color, weight, height, hair color, body type, “ethnicity”, caption…

member_login.dump

This database dump contains more than 30 million usernames + hashed passwords. The passwords are hashed with the bcrypt algorithm and
a huge cost factor of 12, which makes a global attack on the password very unlikely (even for most commons passwords). However, attacking a single (or a couple) of passwords is still possible and you definitely need to change your password.

Tables schema

To give you an idea of what is stored in the database, here are the different tables schema of the database. Fields name are really explicit.

CREATE TABLE `am_am_member` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`createdon` timestamp NULL DEFAULT NULL,
`createdby` int(11) DEFAULT NULL,
`updatedon` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
`updatedby` int(11) DEFAULT NULL,
`admin` int(11) DEFAULT NULL,
`status` int(11) DEFAULT NULL,
`account_type` int(11) DEFAULT NULL,
`membership_status` int(11) DEFAULT NULL,
`ad_source` int(11) NOT NULL DEFAULT ‘0’,
`profile_number` int(11) DEFAULT NULL,
`nickname` varchar(16) DEFAULT NULL,
`first_name` varchar(24) DEFAULT NULL,
`last_name` varchar(24) DEFAULT NULL,
`street1` varchar(70) DEFAULT NULL,
`street2` varchar(70) DEFAULT NULL,
`city` varchar(28) DEFAULT NULL,
`zip` varchar(16) DEFAULT NULL,
`state` int(11) DEFAULT NULL,
`latitude` double NOT NULL DEFAULT ‘0’,
`longitude` double NOT NULL DEFAULT ‘0’,
`country` int(11) DEFAULT NULL,
`phone` varchar(24) DEFAULT NULL,
`work_phone` varchar(24) DEFAULT NULL,
`mobile_phone` varchar(24) DEFAULT NULL,
`gender` int(11) DEFAULT NULL,
`dob` date DEFAULT NULL,
`profile_caption` varchar(64) DEFAULT NULL,
`profile_ethnicity` int(11) DEFAULT NULL,
`profile_weight` int(11) DEFAULT NULL,
`profile_height` int(11) DEFAULT NULL,
`profile_bodytype` int(11) DEFAULT NULL,
`profile_smoke` int(11) DEFAULT NULL,
`profile_drink` int(11) DEFAULT NULL,
`profile_initially_seeking` int(11) DEFAULT NULL,
`profile_relationship` int(11) DEFAULT NULL,
`pref_opento` varchar(164) NOT NULL DEFAULT  »,
`pref_opento_other` varchar(28) DEFAULT NULL,
`pref_opento_abstract` mediumtext NOT NULL,
`pref_turnsmeon` varchar(164) NOT NULL DEFAULT  »,
`pref_turnsmeon_other` varchar(28) DEFAULT NULL,
`pref_turnsmeon_abstract` mediumtext,
`pref_lookingfor` varchar(164) NOT NULL DEFAULT  »,
`pref_lookingfor_other` varchar(28) DEFAULT NULL,
`pref_lookingfor_abstract` mediumtext,
`main_photo` int(11) DEFAULT NULL,
`security_question` int(1) NOT NULL DEFAULT ‘0’,
`security_answer` varchar(32) NOT NULL DEFAULT  »,

CREATE TABLE `aminno_member` (
`pnum` int(11) NOT NULL DEFAULT ‘0’,
`approved` tinyint(1) NOT NULL DEFAULT ‘0’,
`signupvid` varchar(64) NOT NULL DEFAULT  »,
`signupip` varchar(15) NOT NULL DEFAULT  »,
`sponsor` int(8) NOT NULL DEFAULT ‘0’,
`nickname` varchar(28) CHARACTER SET utf8 COLLATE utf8_general_mysql500_ci NOT NULL DEFAULT  »,
`gender` int(1) NOT NULL DEFAULT ‘0’,
`ishost` tinyint(1) NOT NULL DEFAULT ‘0’,
`flags` int(11) NOT NULL DEFAULT ‘0’,
`fraud_flag` int(11) NOT NULL DEFAULT ‘0’,
`country` int(1) NOT NULL DEFAULT ‘0’,
`state` int(3) NOT NULL DEFAULT ‘0’,
`zip` varchar(16) NOT NULL DEFAULT  »,
`latitude` double NOT NULL DEFAULT ‘0’,
`longitude` double NOT NULL DEFAULT ‘0’,
`timezone` int(3) NOT NULL DEFAULT ‘0’,
`city` varchar(28) NOT NULL DEFAULT  »,
`adsource` int(2) NOT NULL DEFAULT ‘0’,
`seeking` int(2) NOT NULL DEFAULT ‘0’,
`dob` date NOT NULL DEFAULT ‘0000-00-00’,
`credits` int(5) NOT NULL DEFAULT ‘0’,
`flatrate` timestamp NOT NULL DEFAULT ‘0000-00-00 00:00:00’,
`accept_collect` tinyint(1) NOT NULL DEFAULT ‘1’,
`accept_host_contact` tinyint(1) NOT NULL DEFAULT ‘1’,
`accept_mail_auto_responder` tinyint(1) NOT NULL DEFAULT ‘1’,
`restrict_global` tinyint(1) NOT NULL DEFAULT ‘0’,
`restrict_bc` tinyint(1) NOT NULL DEFAULT ‘0’,
`bc_mail_last_time` timestamp NOT NULL DEFAULT ‘0000-00-00 00:00:00’,
`bc_chat_last_time` timestamp NOT NULL DEFAULT ‘0000-00-00 00:00:00’,
`reply_mail_last_time` timestamp NOT NULL DEFAULT ‘0000-00-00 00:00:00’,
`photos_public` int(1) NOT NULL DEFAULT ‘0’,
`photos_private` int(2) NOT NULL DEFAULT ‘0’,
`keywords` mediumtext NOT NULL,
`set_chat_enabled` int(1) NOT NULL DEFAULT ‘1’,
`set_chat_available` int(1) NOT NULL DEFAULT ‘1’,
`set_show_profile` tinyint(1) NOT NULL DEFAULT ‘1’,
`set_show_online` tinyint(1) NOT NULL DEFAULT ‘1’,
`set_view_rated` tinyint(1) NOT NULL DEFAULT ‘0’,
`mail_auto_responder` int(5) NOT NULL DEFAULT ‘0’,
`mail_auto_responder_msg` varchar(255) DEFAULT NULL,
`security_question` int(1) NOT NULL DEFAULT ‘0’,
`security_answer` varchar(32) NOT NULL DEFAULT  »,
`caption` varchar(64) DEFAULT NULL,
`ethnicity` int(11) DEFAULT NULL,
`weight` int(11) DEFAULT NULL,
`height` int(11) DEFAULT NULL,
`bodytype` int(11) DEFAULT NULL,
`smoking` int(11) DEFAULT NULL,
`limits` int(11) DEFAULT NULL,
`opento` varchar(164) NOT NULL DEFAULT  »,
`opento_other` varchar(28) DEFAULT NULL,
`opento_abstract` mediumtext NOT NULL,
`turnsmeon` varchar(164) NOT NULL DEFAULT  »,
`turnsmeon_other` varchar(28) DEFAULT NULL,
`turnsmeon_abstract` mediumtext NOT NULL,
`lookingfor` varchar(164) NOT NULL DEFAULT  »,
`lookingfor_other` varchar(28) DEFAULT NULL,
`lookingfor_abstract` mediumtext NOT NULL,
`eye_color` int(11) NOT NULL DEFAULT ‘0’,
`hair_color` int(11) NOT NULL DEFAULT ‘0’,
`updatedon` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,

CREATE TABLE `aminno_member_email` (
`pnum` int(11) NOT NULL DEFAULT ‘0’,
`email` varchar(128) NOT NULL DEFAULT  »,
`isvalid` tinyint(1) NOT NULL DEFAULT ‘1’,
`html` tinyint(1) NOT NULL DEFAULT ‘0’,
`optin` int(1) NOT NULL DEFAULT ‘0’,
`notify_newmail` int(1) NOT NULL DEFAULT ‘1’,
`notify_newmember` int(1) NOT NULL DEFAULT ‘1’,
`notify_login` int(1) NOT NULL DEFAULT ‘1’,
`notify_offer` tinyint(1) NOT NULL DEFAULT ‘1’,

CREATE TABLE `member_details` (
`pnum` int(11) unsigned NOT NULL,
`eye_color` int(11) unsigned NOT NULL DEFAULT ‘0’,
`hair_color` int(11) unsigned NOT NULL DEFAULT ‘0’,
`dob` date DEFAULT NULL,
`profile_caption` varchar(64) DEFAULT NULL,
`profile_ethnicity` int(11) unsigned DEFAULT NULL,
`profile_weight` int(11) unsigned DEFAULT NULL,
`profile_height` int(11) unsigned DEFAULT NULL,
`profile_bodytype` int(11) unsigned DEFAULT NULL,
`profile_smoke` int(11) unsigned DEFAULT NULL,
`profile_drink` int(11) unsigned DEFAULT NULL,
`profile_initially_seeking` int(11) unsigned DEFAULT NULL,

CREATE TABLE `member_login` (
`pnum` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(28) CHARACTER SET utf8 COLLATE utf8_general_mysql500_ci NOT NULL DEFAULT  »,
`password` varchar(128) NOT NULL DEFAULT  »,
`loginkey` varchar(36) NOT NULL DEFAULT  »,
`notify` int(4) NOT NULL DEFAULT ‘0’,




A quick blog post over Adobe recent leak of customers data.

Earlier this month, Adobe announced a leak of 2.9M users personal information (including encrypted credit card data). During last weeks, some partial dump that were announced to be linked with this leak were published online but nothing really interesting was published until 24th October when someone published a link to a file called users.tar.gz on Anonews forum (the thread was deleted, google cache). Since the file was hosted on a hacked server, it was quickly deleted and nearly nobody was able to download it. Nearly. On 29th October a post on a Russian “underground” forum linked to two files : ldap.tar.gz (8.2MB) and users.tar.gz (3.8GB). Thanks to m3g9tr0n we were able to get them and to start analyzing them.

About the ldap.tar.gz file : It contains 68276 emails addresses (including 64837 address ending in @adobe.com). It seems to be a dump of an internal LDAP server but there are no password information.

About the users.tar.gz file : It contains 153.004.870 lines which format is : <some uid> -|–|- <email address> -|- <base64 of encrypted password>-|- <password hint>|–

We weren’t able to determine the algorithm used by adobe to encrypt their passwords but we think that they *may* be (simple or triple) DES or Blowfish (in CBC or ECB block mode) (UPDATE : Adobe acknowledged that it is Triple DES and it is definitively using ECB block mode). Some people stated that the password were encrypted using some kind of “modified sha1” or “double DES”. They are not. Some more statistics about the passwords : there are 130.325.717 nonempty passwords fields and only 56.045.364 unique passwords. Since the encryption algorithm uses 64 bits blocs (8 characters), we can deduce passwords’ range length distribution : 50M are between 1 and 7 characters long, nearly 80M passwords are between 8 and 15 characters long, 58k are between 16 and 23 characters long and 5.6k are between 24 and 31 characters long. (UPDATE : Jeremi Gosney analyzed the passwords count and the hints and was able to make a top 100 of the passwords used(mirror of the stats here))

About the email addresses : there are many faulty addresses (e.g. : gmail.comm, <email service provider><password> (they forgot to press the tabulation key), some other mistakes or some fake email addresses) but we can make some statistics about email providers : 35.842.643 emails accounts are from hotmail.(com|fr|co.uk|de) (in this extension order), 24.476.674 are hosted on gmail.com or googlemail.com, 24.588.216 are from yahoo‘s email service and 3.478.697 are from aol.com.

And here we are at the moment since we can’t crack those password.

PS: m3g9tr0n pointed out it would be better to include the command lines I used to give those statistics, here they are :

To get a list of of the content of the n-th field (emails : n = 3, passwords : n = 4), I used this command (here in the case of emails):

cut -d\| -f3 cred | sed -rs 's/^-//' > emails

To get a list of mail service providers with count, I ran this command :
cut -d@ -f2- emails | sort --parallel=2 -S2G | uniq -c | sort -rn > email_providers
The

--parallel

flag makes sort use multiple processes to run faster while the -S flag permits to use more memory (and thus avoid writing temporary files on the disk which will slow down the sorting).

To get the count of Hotmail’s mail addresses I used this command line :
grep -P '\shotmail\.(com|fr|co\.uk|de)$' emails_providers | awk '{s+=$1} END {print s}'

This commands adds the different counts (in the first columns) and then prints it.

Hello folks 🙂

A few days after the last post about the linkedin password leak and the quick analysis of the passwords I recovered, a friend of mine gave me a link to the eharmony password archive. This archive contains 1513836 md5 hashes. I had a very big surprise with this dump because when I started to work on it, I quickly noticed that all password were uppercased… Thanks eHarmony ! Just to remember, the number of combinations for a N characters length password made of a charset of C different letters is C^N. Here, the « standard » charset [A-Za-z0-9] (26+26+10=62 chars) becomes [A-Z0-9] (26+10=32, nearly half the previous charset).

Read More »