320 Million Hashed Passwords Reversed by the CynoSure Prime Group


The CynoSure Prime group is back and managed to expose 320 million hashed passwords dumped to the security researcher Troy Hunt.

A couple of years ago, the anonymous CynoSure Prime cracktivists reversed hashes of 11 million leaked passwords of Ashley Madison. The passwords were protected by the cryptographic algorithm Bcrypt which implements “salting” of the hashed password to protect them against rainbow table attacks.

Not long ago, the security expert Troy Hunt released the passwords that were stolen from different sources like the Exploit.in list and the Anti Public list.

The CynoSure Prime group together with the German IT security PhD student @m33x and researchers Royce Williams (@tychotithonus) accepted the challenge.

The passwords disclosed by Hunt were sourced from various data leaks, many of them were protected with the weak hashing algorithms such as the SHA-1.

The security experts spotted that 15 different hashes in use were using the MDXfind tool. Besides, they noticed that the Hunt’s dump also includes personally identifiable information of some people that likely Hunt didn’t intend to release.

“We also saw unusual strings from incorrect import/export that was already present in the original leak. This links the hash to the owner of the password, which was clearly not intended by Troy. We found more than 2.5m email addresses and about 230k email:password combinations.”

<firstname.lastname@tld><:.,;| /><password>
<truncated-firstname.lastname@tld><:.,;| /><password>
<@tld><:.,;| /><password>
<username><:.,;| /><password>
<firstname.lastname@tld><:.,;| /><some-hash>

According to Hunt, the presence of junk data is due to some mistakes in parsing made by the original authors.

Troy Hunt is currently working with the CryptoSure Prime data to remove it from the hashed lists hosted at the HaveIBeenPwned website.

By now, the security experts managed to “recover all but 116 of the SHA-1 hashes”.

The researchers claim that most of the passwords in the HaveIBeenPwned release are between 7 and 10 characters long.

“In order to speed up the analysis of such a large volume of plaintexts, a custom tool was coded “Panal” (will be released at a later time) to quickly and accurately analyse our large dataset of over 320 million passwords. The longest password we found was 400 characters, while the shortest was only 3 characters long.” the post published by the CryptoSure Prime group states. “About 0.06% of passwords were 50 characters or longer with 96.67% of passwords being 16 characters or less.  Roughly 87.3% of passwords fall into the character set of LowerNum 47.5%, LowerCase 24.75%, Num 8.15%, and MixedNum 6.89% respectively. In addition we saw UTF-8 encoded passwords along with passes containing control characters. See [9] for full Panal output.”

Nelly Vladimirova
Nelly Vladimirova has been working as a journalist since 1998 with a main focus on Finance, Economics, and IT. In 2004 she graduated the University of Plovdiv, Bulgaria, as a Bachelor in English Philology and Master in Linguistics and Translation. Later, Nelly received a postgraduate certificate in Business Management from Scott's College, UK. Presently, she is presenting the latest news related to computer security at www.virusguides.com.


Please enter your comment!
Please enter your name here

Time limit is exhausted. Please reload CAPTCHA.