Adobe data breach far worse than first claimed

Adobe data breach far worse than first claimed

Adobe's recent security breach has resulted in the badly-encrypted - not hashed - passwords of more than 150 million accounts leaking into the public domain.

The data breach announced by Adobe early last month is considerably more serious than the company first believed, with badly-protected passwords and ancillary data for more than 150 million of its customers being made public.

Adobe's initial report on the attack was bleak enough: at the time, the company claimed that customer IDs, passwords, payment card details and other order-related information on around three million of its customers had been leaked. Worse still, the as-yet unidentified attackers made off with the source code for several Adobe products.

In recent weeks, however, Adobe has been forced to admit that its initial estimation of the attack's scope was a little off the mark. First came the revelation that the data breach resulted in the details of over 38 million customers, not the original three million the company had claimed, being downloaded. This was followed by the publication of a list containing around 153 million account details, showing the attack to have been massively more successful than feared. Now, it has been pushed into admitting that its methods for encrypting or hashing said data was flawed.

When Adobe first announced the breach, it claimed that all personal data was stored in an encrypted format that would prevent the attackers from being able to retrieve passwords - a claim many took to mean the passwords were hashed using a one-way cryptographic function, as is industry standard practice. That, sadly, has turned out to a false assumption: rather than hashing, the passwords were indeed encrypted - and in such a way as to make them vulnerable to attack.

When a password is hashed, it is scrambled in such a way that it becomes the next best thing to gibberish. There is no known way to take the hash of a password and reverse it to gain the original; instead, attackers are forced to hash entire dictionaries or brute-force strings word-by-word and compare them to the list of hashes for a match. Coupled with salting, where a value is used to ensure two identical passwords produce two different hashes, this makes uncovering all but the most basic and insecure of passwords extremely difficult.

Sadly, that's not what Adobe did. Instead of a one-way hash function, the company encrypted the passwords using the Triple-DES (3DES) cipher in its insecure Electronic Code Book (ECB) mode. Worse, the company stored user-supplied password hints in unencrypted form - with many 'hints' actually repeating the password in plain text. Even where the hint was blank or apparently unhelpful, the encryption method used allows an attacker to ascertain the exact length of the password.

Science-themed web comic xkcd was quick to poke fun at Adobe's security practices, describing the breach as 'the greatest crossword puzzle in the history of the world.' For those affected by the flaw - a significant proportion of Adobe's customer base, it would seem - the gaffe is likely to prove no laughing matter.

'With very little effort, we have already recovered an awful lot of information about the breached passwords,' explained Sophos' Paul Ducklin in his analysis of the leaked account details. '[This includes] identifying the top five passwords precisely, plus the 2.75% of users who chose them, and determining the exact password length of nearly one third of the database.

'Bear in mind that salted hashes - the recommended programmatic approach here - wouldn't have yielded up any such information - and you appreciate the magnitude of Adobe's blunder.


Discuss in the forums Reply
mi1ez 5th November 2013, 10:02 Quote
The data breach announced by Adobe early next month

Last month?
Gareth Halfacree 5th November 2013, 10:04 Quote
Originally Posted by mi1ez
Last month?
Damn, I *knew* I should have recalibrated the Tardis. What month is this? Am I too late? Has the invasion started?

That's what you get when you're so used to writing about things that are *about* to happen that "early" and "month" automatically trigger the word "next" rather than "last" in your fingers. Fixed, ta!
mi1ez 5th November 2013, 10:04 Quote
It always amazes me that the companies with the worst security tend to be tech companies. It's embarassing!
Corky42 5th November 2013, 11:25 Quote
Will the ICO see this as serious enough to impose the maximum fine of £500,000 or maybe the people responsible will face a custodial sentences.
monkiboi 5th November 2013, 12:20 Quote
Now Adobe are pushing Creative Cloud for all their software there's now a single point of failure for hacking. Fortunately for me I decided CC wasn't worth the expenditure so the only login details adobe has for me were just used for Kuler.
theshadow2001 5th November 2013, 12:32 Quote
I wonder how hard it is for a big rich tech company to perform a security audit and apply fixes before something like this happens? Hopefully somone gets the sack over this
PingCrosby 5th November 2013, 23:00 Quote
I've heard they've handed the security side over to a more competent company for the future.........Group 4.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.

Discuss in the forums