Cracked passwords from the alleged ‘Egyptian hacker’ Adobe breach

Cracked passwords from the alleged 'Egyptian hacker' Adobe breach

An allegedly Egyptian hacker going by the name ViruS_HimA has allegedly hacked into Adobe.

According to himself, he’s made off with a largish database of personally identifiable information.

ViruS_HimA, who also goes by the name adam in his email address, has leaked what he says is a subset of the stolen data, aimed at giving some credibility to his claims.

The leak includes 644 database entries, supposedly split between Adobe, .mil and .gov email addresses.

I have Hacked into one of Adobe servers, Gained full access to it, Dumped the Database, It contains over 150,000 Emails, Passwords with full data for a lot of Adobe customers and partners including Emails and Passwords for "Adobe Employees", "US Military", "USAF", "Google", "Nasa", ".Edu" and many many more companies around the world!

In his leaked sample, Hima/Adam let a few non-US identities slip out. The occasional email addresses from countries as far apart as Argentina, Australia, New Zealand and the UK remind us of the global nature of the data he claims to have stolen.

Here’s a sample of his sample:

The leaked data could, of course, be from another source, or a mash-up from previous leaks, or even artifically generated.

Adobe hasn’t published anything official on its blogs yet, but is reported to be looking into the issue; we’re unlikely to know whether the company really was breached or not until it finishes its investigation.

[Update at 2012-11-15T12:41Z. Adobe has confirmed the breach. The company says it was hacked via its Connectusers forum. The Connect service itself was not breached. Affected users, it seems, have had their passwords reset for safety.]

In the meantime, if the data is real (whether it comes from Adobe or anywhere else), there are three giant problems with it.


Firstly, the passwords in the list are hashed, but without any salt. A salt is random content mixed with the password before hashing, so that repeated passwords do not cause repeated hashes.

You simply must use salted hashes, to stop crackers using a simple precomputed dictionary to crack your passwords super-fast.


Secondly, the hashes consist of a single iteration of MD5 applied directly to the password.

You simply must use many iterations of your chosen hash, to slow down crackers by making brute-force attacks harder by a factor as big as the number of iterations.

By the way, avoid MD5. It is known to have cryptographic flaws that entirely undermine its promise of security. In any new code, you may as well use the most recent officially-blessed hashing algorithm: SHA-3.


Thirdly, as you’ve probably guessed, close to half of the passwords can be cracked in an hour or so with little effort.

You simply must use complex and non-obvious passwords, to prevent crackers from easily guessing what you chose.

Cracking this latest password list yields up the words breeze and connect (Adobe product names) four times each. Other repeated passwords include the what-were-they-thinking-of choices 123456, letmein and welcome.

A few users tried to mix it up a bit: c0ffee introduced a numeric character and Hello! included both upper case and punctuation. But modern password crackers don’t even break their stride to figure out that sort of permutation.

Even more robust efforts like Skan123$, ilbgw2g, lrwj4elj and th3tr12l don’t cut the mustard. Eight characters and predictable patterns are no match for automated cracking tools.

So, however Hima/Adam came by his data, take this as yet another password-protection lesson.

SALT. This confounds dictionary attacks.

ITERATE. This confounds brute force attacks.

COMPLICATE. This confounds guessing attacks.

To learn more about managing, choosing and policing passwords in your organisation, why not listen to our popular Techknow podcast on this very topic?

(If you prefer to listen offline, you can download the podcast for later.)

PS. Feeling a sense of déjà vu? Perhaps the Philips breach is why. Or LinkedIn. No? Maybe it’s the TechRadar incident. Or Mozilla.