Massive Adobe Breach Affects Millions

The massive data breach which occurred recently at Adobe has resulted in the theft of the source code of some of its proprietary products and the compromise of at least 38 million user account credentials. A tarball of the account information was uploaded to Anonymous related websites recently, meaning that if you have/had an account at Adobe then a hash of your password along with identifying information (your e-mail address) is now out in the wild.

Visitors here will know better than to reuse passwords between websites but research has proven time and time again that the average user has at most two or three passwords, perhaps slightly modifying them where password strength requirements differ (e.g. appending a zero on sites that require a mix of character types) or where password changes are enforced. This subset of Internet user is also unlikely to have selected a password that would withstand dictionary cracking meaning that their plaintext password will no doubt be obtained quickly.

So what could you do with all these credentials? Many of these email accounts will be for webmail providers. Those that are not will likely have external POP or IMAP access. Obviously this is great news for spammers especially if these organizations are running an SMTP server that allows remote relaying after authentication, but perhaps we are misunderstanding the true value of these accounts.

People increasingly manage their lives through their e-mail accounts. Even if we assume that our dear user has only partially reused passwords then it would nonetheless be trivial for our hypothetical hacker to simply use a forgotten password link on said site and reset the password. If he uses information gleaned from the account (e.g. timezone information from a recently sent item in their Sent folder) then he can time this to be at an hour where the account compromise will not be discovered for some time, buying him a few hours to perform whatever nefarious act he pleases.

Unfortunately your email address is a unique identifier. Please take a moment to consider if you have reused the same password between different domains. If you think this is too much trouble then at least ensure that you never reuse the password for your primary email account. That just makes it too easy for them.

Adobe are busy sending out millions of password reset links. If you receive such an email, please have a think about where you may have used the same password and set about implementing better policy.

I guess I should mention that password managers are no panacea. There have been vulnerabilities in the past in software such as Lastpass that have enabled remote retrieval of such information. If you choose to use such software then ensure that the software encrypts your password database with your master password before synchronizing it to the cloud and be mindful that you have consolidated risk.

The data is not in the standard hashed format you would expect but is instead encrypted with a key using 3DES which may at least somewhat dampen the consequences for those exposed. That said even if the password cannot be recovered metadata including their email address has been leaked to the world.

2 thoughts on “Massive Adobe Breach Affects Millions

    • Good idea! I couldn’t believe how many hashes I was able to crack easily using my dictionaries on the previous gawker disclosure. Just shows that the vast majority of users have simple passwords (English words or English words with a one or two digit number prefix or suffix, with the words either in lowercase, uppercase first letter, or all uppercase) that are easily cracked if a hash appears online /and/ are stupid enough to re-use their passwords.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s