The Ashley Madison hack will go down in history as one of the all-time worst cybersecurity bungles. But even though users' dirty laundry was aired out for all to see, at least Ashley Madison kept their passwords safe - or so we all thought.
Initial reports were that the one thing Ashley Madison had done right was encrypt users' passwords. The company used a "salt-hash-and-stretch" encryption method called bcrypt. Its triple-redundant security would make even identical passwords look different after encryption.
Alas, according to Naked Security, a hacker group calling itself CynoSure Prime figured out that not all of the passwords were encrypted with bcrypt. Many were stored with a much simpler encryption called MD5.
None of the encryption was perfect - a blogger managed to crack 4,000 of the bcrypt passwords in a week. But CynoSure Prime managed to recover over 11 million MD5-encrypted passwords in 10 days. If you happen to be one of the few Ashley Madison clients still using the service, change your password now.