Avid Life Media hard-coded a variety of credentials into its source code, which may have helped enable the attack. ALM uses neither CAPTCHAs nor email verification to weed out bots during the account creation process, so individuals’ email addresses may have been used to create Ashley Madison profiles without their knowledge. Ashley Madison’s security team did encrypt users’ passwords, but some of the weakest passwords in the database could be cracked using bcrypt. The company did do right to encrypt the passwords.”]