The infamous Ashley Madison hack, which compromised and exposed the information of more than 30 million users accessing the site to flirt with or commit infidelity, has been in the spotlight for some time now. However, as security experts look at the incident in more detail, they're pointing fingers at some specific gaffes that made the breach all the more likely.
For starters, the Ashley Madison site is allegedly fraught with coding errors. London-based blogger, security consultant Gabor Szathmari, writes that the Ashley Madison source code “contains AWS tokens, database credentials, certificate private keys and other secret credentials.” The AWS tokens, in particular, are a serious risk, because they make "lateral movement" between the systems easier, upping the chances that an initial breach could lead to a full-scale breach of the entire site.
Experts add that it was also irresponsible to store items such as Twitter OAuth credentials, private keys of SSL certificates and various application-specific tokens in-code.
Enlisting passwords that were easy to decipher proved to be yet another error that likely led to the breach's scale. According to security experts, passwords were required to be as little as 5 characters long, and many passwords included only two character classes.
In addition, security firm Avast issued a new report finding some of its users' passwords "were among the worst, most common passwords you could possibly pick to secure your adulterous online dating account," according to Business Insider.
Avast says the worst passwords involved in the breach included: 123456, password, 1234, 12345678, qwerty, secret, dragon, welcome and ginger. Others included sparky, helpme, nicole, justin, camaro, yamaha, midnight and chris.
“There is no excuse for using terrible passwords, considering that the usage of intelligent passwords plays a key role in keeping you safe from attacks and breaches,” Avast says. “Even with one of the strongest password encryption algorithms out there, it was trivial to get a large list of weak passwords by checking known passwords against the list of hashes.”
Sharing credit card info
Although the site offers customers the option to pay for fees anonymously, many users opted to just enter in their credit card information, which made them even more vulnerable in the wake of a breach.
"Most people don't think about it when they swipe a credit card or give the number to an online retailer, but the transaction actually reveals quite a bit about you. First and foremost: your name. In the Ashley Madison hack, those responsible are threatening to expose data that include payment information linked to painfully sensitive details from users' profiles," explains a Bloomberg article.
Hopefully, the Ashley Madison site's staff, as well as its users, will learn from these mistakes in the future—along with the negative impacts tied to infidelity, of course.