Adobe leaks 150 million passwords; Facebook and others impacted

The fallout from the recent Adobe breach keeps growing. At first it was thought that "only" a few million passwords were leaked when the company's servers were attacked by a sophisticated hacker. While that number is already higher than it should be, the scope turned out to be at least 50x larger, with new estimates putting the number of leaked credentials at over 150 million.

Not only is this news extremely bad for Adobe, but it's also having a big impact on other websites across the Internet due to the fact that people frequently use the same password on multiple sites. From large sites like Facebook to smaller sites like Diapers.com and Soap.com, companies are examining the stolen data and sending out warnings to customers that they suspect may have the same passwords. According to Krebs on Security, Adobe made the mistake of encrypting all of the passwords with a single key, so if it's brute forced or stolen, the entire trove of data can be unlocked.

It also seems that hackers are actively "rattling the doorknobs" of accounts throughout the Internet; just yesterday, my own personal Yahoo! account was "flagged" due to suspicious activity, forcing me to change my password upon the next login. We wouldn't be surprised to see this trend from many other companies in the next few days.

Sadly, passwords are still an extremely poor way of securing anything of value, a topic I explored last year. Back when we thought the sample size of stolen passwords was only a few million, the BBC released a list of the top 20 most common ones that were cracked and, sadly, the list was not much different than the most common passwords from 2012. All of this just points to the fact that the sooner we get to two-factor authentication, the better we'll be.

Source: Krebs on Security | Image courtesy of Krebs on Security

Report a problem with article
Previous Story

Sprint waives calling and text messaging fees to the Philippines

Next Story

Vine for Windows Phone updated to fix sign-in woes

43 Comments

Commenting is disabled on this article.

"passwords are still an extremely poor way of securing anything of value" _ Really? Name something better?

First off, I know many people use the same password for multiple sites. I do too. But I use variations of the password. The reality is, fingerprints and face recognition only go so far.

You simply can't say passwords are bad because Adobe chose to encrypt them all together in a single bunch. That is THEIR fault...not mine.

If you have a strong password like it is suggested and not using combinations of your birthdate or SS# and similar, you will have no problem.

Another fact is, is someone wants the data bad enough, they will fine a way to break into it. Any code can be cracked. JUST LIKE IN THE MOVIES.

Second factor isn't really the solution. It is too much of a pain for most people and the reason that even if it is available, nobody will opt for it beyond a few people making its availability irrelevant.

As many mentioned, password managers like last pass, are in fact the more practical solution, even if not immune to every attack. All these exploits rely on the habits of people to pick bad passwords and to use the same password or similar permutations on other sites. As such the exploit is ineffective against password managers like last pass when these are properly used.

Given the attack is so unsophisticated once the password is known, a very simple unsophisticated solution like a password manager fixes the problem. Quite simply MSFT, Google and Apple should copy or join forces with the last pass (or similar) technologies and change people's behavior at the OS level.

I got the email.

I then got 4 further emails to 4 other accounts I own.

They are unique accounts, example yellow@suffix.com.

So adobe unlike neowin can't be arsed to run activation emails.

Their security was flawed from day one then.

I only have an account to download trials, so really does'nt affect me.

To get access to basically all their current applications?

Creative Cloud is such an awesome idea.

The true show of carelessness from Adobe's part will be that they won't even flinch with the unsafe CC concept despite this horrible leak. They just couldn't care less about you.

Adobe's latest tweet from @creativecloud in the midst of this brutal accident that directly impacts the idea with their cloud-based services: "We have a new LinkedIn page for #CreativeCloud and we're pretty darn excited about it. Check it out." THAT is exactly how much they care, beneath the meaningless PR talk.

I always amazed when this happens.

First, they seem to never have a blacklist of passwords; a list of passwords that are not allowed by users. This would eliminate most of the issues by removing the most common 100+ passwords. Simple, "sorry that password is not allowed". As a developer I do just this as basic precaution, along with other standard (or what should be standard) checks and rules when a password is created.

Secondly, what darn encryption are they using that allows it to be decrypted. It should always be one way encryption, no decryption. Hash? Aren't they using a salt or other random key to add to the encryption string? What level and type of encryption?

Edited by pjosephson, Nov 14 2013, 5:24am :

Aren't the passwords normally stored in one-way hashed/MD5/encrypted? So there is no way (debatable) that you can use the same password to hack/login to other service accounts?

MD5 is no encryption algorithm. MD5 is also a weak hash function. Unless the hashes were also salted, most of these passwords will leak like mad.

PUC_Snakeman said,
So... Facebook knows that I was using the same password in 2 different places? How does Facebook know my passwords to other places?

Well they first acquire this leaked list. Next they run your leaked plain text password through their one-way hashing algorithm. Then they compare the hash just generated to the one stored for your account. If the hash created from the leaked password is the same hash for your account then they know the plain text password is also the same.

+1 I agree with you that the issue here is more on how and why facebook knows your using the same password. Isn''t my password hashed and who gave them permission to try using my credentials on other websites?

billyea said,
Why does Facebook know whether the password is the same? DON'T STORE PLAINTEXT!!!!

The same way that they are able to check if the password you just entered in is the one you currently have set on your account. Use your brain. They're one way hashes.

Peter van Dam said,
+1 I agree with you that the issue here is more on how and why facebook knows your using the same password. Isn''t my password hashed and who gave them permission to try using my credentials on other websites?

Yes, Facebook (supposedly) one-way hashes your password, but the same plain text will always result in the same hash, it's the same way they verify the password you just entered on Facebook.com is your password. If it was impossible to compare a plain text password to a hash then it wouldn't be possible to log in.

billyea said,
Why does Facebook know whether the password is the same? DON'T STORE PLAINTEXT!!!!

They don't. But a hash value is like a fingerprint. They have one for your account (of course -- to know when you've entered your password) and they obviously have those for all leaked passwords. So then they just compare fingerprints.

mrp04 said,

Yes, Facebook (supposedly) one-way hashes your password, but the same plain text will always result in the same hash, it's the same way they verify the password you just entered on Facebook.com is your password. If it was impossible to compare a plain text password to a hash then it wouldn't be possible to log in.


This would require that they have the same salt as Adobe, or no salt at all, both of which are incredible security concerns.

Northgrove said,

They don't. But a hash value is like a fingerprint. They have one for your account (of course -- to know when you've entered your password) and they obviously have those for all leaked passwords. So then they just compare fingerprints.

While a one way hash will hash the same plaintext to the same encrypted text, this is actually a security flaw and not at all good practice. You don't want this to happen for the exact reason that it makes passwords easy to guess. To combat this, it is recommended practice to add a SALT, a string of random characters unique to a site, to a user entered password before hashing it, thus resulting in the same password having different hashes across different sites.

Not salting is doing a disservice to your users, as the image in this article will attest to the affects.

Edited by billyea, Nov 14 2013, 1:43pm :

I looked into this story a bit more, and it turns out we're all a little wrong. Facebook began by working out the plaintext (essentially undoing the vulnerable one-way hash that was present in Adobe's system) and then re-encrypting under their own system. In short, they don't straight verify both hashes, they do actually have the plaintext for a given account (on Adobe's site) on hand.

billyea said,
I looked into this story a bit more, and it turns out we're all a little wrong. Facebook began by working out the plaintext (essentially undoing the vulnerable one-way hash that was present in Adobe's system) and then re-encrypting under their own system. In short, they don't straight verify both hashes, they do actually have the plaintext for a given account (on Adobe's site) on hand.

You're wrong in both counts.

1) adobe didn't use a one way hash. Just read the source article man. It is suspected adobe used a 3DES algorithm in ECB. The statistical analysis confirms this although to date nobody has figured out the actual encryption key or that it was in fact 3DES and not something grown in house by adobe.

Whatever the case, it is not a one way hash for that would map to a constant hash space length which the data confirms not to, therefore we're talking about a symmetric cipher or a really bad hash that doesn't map to a constant output length(unlikely based on statistical analysis so far)

2) FB doesn't store plain text passwords, as you seem to have found out, they don't need to when cracking the shot and common adobe passwords is easy thanks to the hints being leaked and many of the hints giving away passwords and every match of that password in the DB.

Please, stop making sensationalist headlines about FB without event reading the sources.

billyea said,

This would require that they have the same salt as Adobe, or no salt at all, both of which are incredible security concerns.

No it doesn't. If they have the ADOBE PLAINTEXT passwords, they can run those plaintext passwords through their own hashing algorithm just like when the user enters a password on facebook.com

Well those passwords are as cloud stored as your passwords that you have stored on your local pc - the one you are using on the internet right now.

I too was forced to change my "harder to win the lottery" Yahoo password days ago due to "suspicious activity" even when my recent log-ins activity shows usual behavior...

I wonder if all the panic from the big ones are more related to a collective hysteria.

this is why people need to use a password manager....i use lastpass myself and have the app generate a complex password for each site.

Raa said,
Until one of those services gets hacked then all your passwords are known...

I don't think 1Password stores user information on their servers.

As for using password managers, when I'm at work, I can't use them. So, defeats the purpose unless I'm at home.

Raa said,
Until one of those services gets hacked then all your passwords are known...

I'm not sure about last pass but done correctly password managers will only store encrypted data on remote servers. You have one master password and they will manage passwords for the rest of your sites.

Raa said,
Until one of those services gets hacked then all your passwords are known...

LastPass don't keep your master password so its kinda useless data to the hacker.
Keepass is offline and again you need the master password to open it.

For your average Joe the one thing they should be doing is using a different password for each site they use.

You don't think it is a risk that if someone gets your master password (from say a simple keylogger), they can install the browser extension on a PC in the ukraine and access all your websites with passwords and you will never know?

kowcop said,
You don't think it is a risk that if someone gets your master password (from say a simple keylogger), they can install the browser extension on a PC in the ukraine and access all your websites with passwords and you will never know?

Of course it is still a risk, but I guess you gotta be smarter than the average joe. I haven't ran into a virus, keylogger, etc. since I was in middle school. But then again, I switched to Apple products in 2010 and use my iPhone or iPad for 1Password.

kowcop said,
You don't think it is a risk that if someone gets your master password (from say a simple keylogger), they can install the browser extension on a PC in the ukraine and access all your websites with passwords and you will never know?

You assume getting a simple key logger in everybody's machine is simple. If it was that simple everybody would get hacked daily. It happens yes, but common? No.

kowcop said,
You don't think it is a risk that if someone gets your master password (from say a simple keylogger), they can install the browser extension on a PC in the ukraine and access all your websites with passwords and you will never know?

I use Lastpass and if you have two-factor auth turned on your master password is useless when trying to login on a new computer. And you would know because I'm pretty sure theres a log. There's also a offline version that can be installed as well.

Mandosis said,
Again? Didn't this just happen a month or 2 ago as well? I could be thinking of something else.

It's the same incident, just the scale of the damage was hugely underestimated.