Share

Related Links

Related Stories

  • Adobe Hacked – Customers' Card Details and Adobe Source Code Stolen
    Adobe has been hacked. Source code for numerous Adobe products including Acrobat and ColdFusion has been stolen. Customer IDs and passwords have been accessed; and card details for 2.9 million customers stolen.
  • Password Cracker Cracks 55 Character Passwords
    One of the world’s leading password crackers just got better and is now able to crack passwords of up to 55 characters in length and algorithms such as TrueCrypt 5.0+, LastPass and Samsung Android Password/PIN.
  • Millions of League of Legends Accounts Compromised in North America
    Gamers who are also fans of using passwords like “myname123” and the ever-popular “password1” should take note: aficionados of the popular League of Legends online multiplayer game may have had their data compromised following a breach in which real names, usernames, email addresses and salted password hashes were stolen from its database. And, it’s looking into a possible earlier breach in which credit card data may have been stolen.
  • Lakeland Kitchenware Hacked with Java 0-Day
    The Lakeland kitchenware online store has emailed its customers with a warning that two of its databases were breached by hackers late last week, and that it was resetting all customer passwords.
  • Password strength meters inspire better choices – but only for sensitive accounts
    Password strength meters that offer web surfers a visual gauge of how weak or strong a chosen lock may be are increasingly present on websites – but how effective are they at getting folks to choose stronger options? When it comes to locking down sensitive data, meters had an impact, suggesting that they act as important reminders for users about what’s at stake.

Top 5 Stories

News

Adobe Breached Users Now Estimated at 38 Million

30 October 2013

When news of the Adobe breach emerged at the beginning of October, the company admitted that bank card and other personal information on 2.9 million users had been stolen together with usernames and passwords for an undisclosed number of customers. That number is now put at 38 million.

Adobe spokeswoman Heather Edell said Tuesday that the figure included expired and invalid usernames, and encrypted passwords. She said that the company had reset the passwords for all affected accounts, and had notified 38 million users.

Edell said that Adobe is unaware of any unauthorized activity on any Adobe accounts as a result of the data loss. However, security expert Marcus Carey, who has worked in the  U.S. Navy Cryptologic Security Group and with the NSA, says that the stolen data remains a treasure trove for cybercriminals. Even where passwords are encrypted, they can frequently be cracked through the use of password dictionaries and rainbow tables. There is also the possibility that the criminals could break the crypto algorithm used by Adobe.

The threat is not merely to Adobe users. Criminals could then use those passwords to break into users' other accounts because so many people use the same password on multiple sites. This is all the more worrying because the stolen data seems to be circulating the criminal underground. 

The breach was first highlighted by Brian Krebs and Alex Holden on 3 October. They said at the time that an unknown amount of data had been stolen that they couldn't quantify because the holding files were password protected. "But just this past weekend", wrote Krebs yesterday, "AnonNews.org posted a huge file called 'users.tar.gz' that appears to include more than 150 million username and hashed password pairs taken from Adobe. The 3.8 GB file looks to be the same one Hold Security CISO Alex Holden and I found on the server with the other data stolen from Adobe."

Adobe contacted the sites hosting the files linked to by AnonNews (one contains source code for PhotoShop to add to the source code for Acrobat, Reader and ColdFusion already known to have been stolen), and the files have since been removed. But how many other criminals now have access to these files remains unknown.

The 38 million figure quoted by Adobe is for active users only – the actual number of stolen passwords would seem to be much higher. “We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident,” Edell told Krebs in an email. “Our notification to inactive users is ongoing.”

Adobe has reset the passwords for all accounts, whether active or inactive. The future threat of cracked passwords is therefore not with Adobe, but for wherever those same passwords are used with other user accounts. It is further confirmation that users should not reuse the same password across different websites – and anyone who has done so should change them immediately.

This article is featured in:
Data Loss  •  Encryption  •  Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×