News of Adobe hacks yet again worsens
posted Monday, November 4, 2013 at 3:11 PM EDT
It was just days ago that we learned that the Adobe data leak was worse than originally reported — but now it looks as though we might have to revise our opinion again, as news indicates the stolen passwords are stored in a fundamentally unsafe manner.
According to the new round of reports, it seems that 130 million passcodes have potentially been compromised, though many of them are from dead accounts. The real problem is how Adobe stored the passcodes. Generally, what's considered the best practice is what's known as a one-way function. That means that the process isn't reversible, instead you have to throw guessed passwords at the algorithm until something pops out that matches what's stored — and it'll be different for each password. But it seems that that's not what Adobe did, instead they were stored using "standard symmetric encryption" according to Ars Technica. That means that if a hacker discovers the key, the entire set of passwords will be unlocked.
Unfortunately, the bad news doesn't stop there. Security researcher Jeremi Gosney of Stricture Consulting Group was able to use a combination of the weak security and the unencrypted "security question" information to produce a list of the 100 most used passwords for Adobe accounts. While he doesn't have the decryption key, he was still able to gather the fact that more than 200,000 people used "adobe123" as their password.
As he put it on Twitter:
reading password hints for each adobe ciphertext is pretty much just like playing buzztime trivia. seriously.— Jeremi Gosney (@jmgosney) November 2, 2013
hints for WqflwJFYW3+PszVFZo1Ggg==: old company name, not adobe, before adobe, bought by adobe, it's macromedia, macromedia is the password— Jeremi Gosney (@jmgosney) November 2, 2013
There are other worries as well. Apparently, there are some 56 million unique passwords within the file, which, if leaked, would give hackers an immense body of passwords to try out on any and all other accounts. Since so many people constantly re-use the same password, it would provide widespread access to a great number of other services.
Adobe has been contacting people affected by the hack. But there is some indication that there are some that have not been reached out to by Adobe. A website has popped up that checks your email address against those on the list of leaked information. Assuming it's accurate, my username and password have been affected, but I've not heard from Adobe.
Regardless if you've been contacted by Adobe or not, it's probably worth changing your password anyway. And you should definitely try and create a different one for every site you use — so that when data does leak, you can limit the damage considerably.