Adobe spokeswoman Heather Edell said Tuesday that the figure included expired and invalid usernames, and encrypted passwords. She said that the company had reset the passwords for all affected accounts, and had notified 38 million users.
Edell said that Adobe is unaware of any unauthorized activity on any Adobe accounts as a result of the data loss. However, security expert Marcus Carey, who has worked in the U.S. Navy Cryptologic Security Group and with the NSA, says that the stolen data remains a treasure trove for cybercriminals. Even where passwords are encrypted, they can frequently be cracked through the use of password dictionaries and rainbow tables. There is also the possibility that the criminals could break the crypto algorithm used by Adobe.
The threat is not merely to Adobe users. Criminals could then use those passwords to break into users' other accounts because so many people use the same password on multiple sites. This is all the more worrying because the stolen data seems to be circulating the criminal underground.
The breach was first highlighted by Brian Krebs and Alex Holden on 3 October. They said at the time that an unknown amount of data had been stolen that they couldn't quantify because the holding files were password protected. "But just this past weekend", wrote Krebs yesterday, "AnonNews.org posted a huge file called 'users.tar.gz' that appears to include more than 150 million username and hashed password pairs taken from Adobe. The 3.8 GB file looks to be the same one Hold Security CISO Alex Holden and I found on the server with the other data stolen from Adobe."
Adobe contacted the sites hosting the files linked to by AnonNews (one contains source code for PhotoShop to add to the source code for Acrobat, Reader and ColdFusion already known to have been stolen), and the files have since been removed. But how many other criminals now have access to these files remains unknown.
The 38 million figure quoted by Adobe is for active users only – the actual number of stolen passwords would seem to be much higher. “We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident,” Edell told Krebs in an email. “Our notification to inactive users is ongoing.”
Adobe has reset the passwords for all accounts, whether active or inactive. The future threat of cracked passwords is therefore not with Adobe, but for wherever those same passwords are used with other user accounts. It is further confirmation that users should not reuse the same password across different websites – and anyone who has done so should change them immediately.