Sophos Cloud Optix
At the start of this month, Adobe let it slip that it had suffered a data breach.
The attackers had managed to access customers’ Adobe IDs, encrypted passwords, names, encrypted debit and credit card numbers, expiry dates and order details.
Brad Arkin, Adobe’s Chief Security Officer, wrote in a blog post at the time:
Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million [emphasis added] Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.
It looks like that number was a huge underestimation. According to Adobe spokesperson Heather Edell, the final tally is around 38 million users, all of them active:
So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users.
We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident—regardless of whether those users are active or not.
She also added that now Adobe had finished informing the affected active users, it was working on contacting inactive users.
We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident... Our notification to inactive users is ongoing.
At the time, Adobe also reported the theft of source code from some of its flagship products. Originally thought to be just Reader, Acrobat and ColdFusion, Edell confessed Adobe also appears to have had some of its Photoshop source code nabbed too:
Our investigation to date indicates that a portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on Oct. 3.
Adobe has posted a help document for affected users.
While Adobe says the passwords that were taken were encrypted, it’s not entirely foolproof and they could be cracked, so let this act as another reminder to use different passwords on EVERY SINGLE online account you have.
And make sure you choose a strong password for each too, and not just the name of your cat, dog, guinea pig or goldfish.
The BIG question is: did Adobe salt the passwords or not?
It's not realistic to expect people to use a different password for every single online account. More nuanced advice would be appropriate.
And what would your advice be Jimmy? I for one use a different password for each and every online account or website I sign into – and I have hundreds. Very easy with programs like 1Password, Roboform etc to keep track.
I use different passwords on different sites (besides trivial ones) and I know it's not terribly difficult. I just don't think it's realistic to expect the bulk of the population to do so.
Also, can you trust cloud services to store your passwords – otherwise how to access from multiple devices?
If, like me, you find you have a lot of strong passwords to remember then I'd suggest you use a password manager and protect it with a very strong password and two factor authentication.
As to salts – the Adobe blog post suggests the passwords were encrypted rather than hashed. If the passwords were hashed then we can't assume the salt is safe anyway – Adobe's front door has been well and truly thrown open.
The salt *might* be safe and the hashing *might* be deep enough to slow the cracking down to an impractical speed but do you want to rely on that? That would be putting a lot of faith into a series of blind guesses about both Adobe's security expertise and the capabilities of whichever unknown criminals now have possession of the stolen data.
We can hope the encryption or hashing hasn't been broken but we should assume it has.
Of course it IS realistic. I personally have different, complex passwords for each online account used for any monetary exchanges and I change those passwords at least once every 90 days. Inconvenient yes, but much less inconvenient that having your identity stolen or expecting someone else to protect you when you refuse to even take a step toward protecting yourself.
Mel, what do you see as the benefit of changing password every 90 days? Do you really think someone out there is trying to brute force your password for days on end?
Jimmy wrote: “It’s not realistic to expect people to use a different password for every single online account. More nuanced advice would be appropriate."
It's not realistic to expect that "more nuanced advice" can change the REALITY that using the same password on multiple sites exposes the user to a level of risk that some folks are unwilling to accept. I'm one of them.
Unless you transact no business online and have given no personally identifiable information to any site, you are at risk of identity theft at best if any of your online accounts is hacked. And if you've used the same password anywhere else, your exposure is multiplied.
The bad guys are counting on the mythical belief that using a different password on every site is "unrealistic". There is no longer any sensible reason not to use a different complex password for every site, which means that using a password manager is a fact of life now. You don't have to like it, but you ignore it at your own peril.
Anyone else find it interesting that even though Adobe is making all these people change their passwords there is no password enforcement in place to stop people from reusing the same password they had originally?
It would be very interesting to hear how they got in. Was it an undiscovered zero-day exotic penetration or a simple default password, sloppy injection handling or unpatched server.
What I find interesting is that nothing is being offered for the complete inconvenience of having to get a new credit card and having to update all the online payment sources I use.
Anna,
This discussion is very pertinent, about using unique passwords for every secure site, changing them regularly, and recording them is a safe place accessible to no-one else.
In the past, Sophos has recommended LastPass. I for one would be reluctant to store passwords online with a third party like LastPass. Suppose they are hacked!
I use unique email addresses for accounts like Adobe and this has now started to receive junk mail. When this sort of thing happens I then block that email address and change the one used for the compromised account. This has happened before for a small online trader and other minor login accounts but it's the first time it has happened to me for a major player like Adobe.
I believe the bottom line customers have for software giants like this is:
They can do more. Companies like to talk in dollars. Well how many of their customers spend hundreds, sometimes thousands of dollars for their software and have all of these accounts for licenses only to have all of it come to basically a halt. Thousands of dollars come their way and their protection of consumer information seems shoddy at best.
They can do more and do better.
Here's xkcd's take on this: http://xkcd.com/1286/