Adobe Hack 2013 – 150 Million Compromised Accounts


Potentially 150 Million Users Affected - Not 3 Million as Earlier Reported

It appears the company behind such great software platforms as Photoshop, Dreamweaver and Adobe Reader were a little lax in their security practices.

Last month it was announced there had been a security breach on their network where they revealed that hackers had gained access to the account information of approximately 2.9 million users.  Among the information stolen was encrypted credit card data, and user name/password pairs as well as the source code for numerous Adobe products.  That number quickly ballooned up to 38 million users as reported by KrebsonSecurity however Adobe has indicated that the additional user information did not contain payment information as it was stored in a different database.  Either way with so many people using the same password for every account they hold this database of username/password pairs is a gold mine to hackers.

In a letter sent to affected customers, myself included, Adobe explained details of the breach including that the attacker had decrypted some accounts' credit card numbers using Adobe's own systems. However, Adobe said that it couldn't confirm whether any of that decrypted information had actually been removed from its servers, and reports indicate that Adobe hasn't seen any sign of unauthorized activity on compromised accounts. An excerpt from the letter is below.

Although our investigation is ongoing, we believe that the third party likely removed from our systems certain customer names, payment card expiration dates, encrypted payment card numbers, and other information relating to customer orders. In addition, the third party used our systems to decrypt some card numbers. We have not been able to confirm that any decrypted card numbers were removed as a result of this access to our systems.

But things don't seem to be getting any better.  On November 7th it was reported on The Verge that a database of Adobe user data has turned up online at a website utilized by cyber criminals which contains over 150 million "breached records".  The file containing all the user data is a staggering 10GB when uncompressed.  Adobe's little blunder could rank as the worst security breach in Internet history.

After analyzing a sample pool of records that were part of the leak, Sophos found that Adobe used some questionable encryption techniques which could allow hackers to easily unencrypt the data in their possession.

Adobe spokesperson Heather Edell said the company has just completed a campaign to contact active users whose user IDs with valid, encrypted password information was stolen, urging those users to reset their passwords. She said Adobe has no indication that there has been any unauthorized activity on any Adobe ID involved in the incident.

“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users,” Edell said [emphasis added]. “We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident—regardless of whether those users are active or not.”

Edell said Adobe believes that the attackers also obtained access to many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data which may account for the inflated numbers being reported. “We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident,” she wrote in an email. “Our notification to inactive users is ongoing.”

Although Adobe indicates there has not been any unauthorized activity detected on Adobe accounts that doesn't mean the hackers aren't using the data in other ways.  As mentioned many times in this blog the vast amount of people online use the same user name/password combination on multiple accounts so having a data base containing hundreds of millions of active or inactive usernames and passwords is a treasure chest for online criminals.

LastPass, a service I recommend for maintaining separate highly secure passwords for all your accounts, has put up a page on it's site where users can check their emails against the list of over 150 million that was posted online and see if their information is contained in that list.

I highly recommend you take one minute of your time and visit that link, just click the image above, and see if your email address is one of the ones on that massive list of information that is being passed around the hacker world.

If it is you then need to confirm whether or not you've used the same user name and password on any other online accounts you may have and if so change the passwords to something else.  If you don't already use LastPass or other password management systems then this may be a good time to look into them.

Please comment below and let me know what your thoughts about this story are and whether you have any questions.



Thoughts and Comments