The fallout from the recent Adobe breach keeps growing. At first it was thought that "only" a few million passwords were leaked when the companys servers were attacked by a sophisticated hacker. While that number is already higher than it should be, the scope turned out to be at least 50x larger, with new estimates putting the number of leaked credentials at over 150 million.
Not only is this news extremely bad for Adobe, but its also having a big impact on other websites across the Internet due to the fact that people frequently use the same password on multiple sites. From large sites like Facebook to smaller sites like Diapers.com and Soap.com, companies are examining the stolen data and sending out warnings to customers that they suspect may have the same passwords. According to Krebs on Security, Adobe made the mistake of encrypting all of the passwords with a single key, so if its brute forced or stolen, the entire trove of data can be unlocked.
It also seems that hackers are actively "rattling the doorknobs" of accounts throughout the Internet; just yesterday, my own personal Yahoo! account was "flagged" due to suspicious activity, forcing me to change my password upon the next login. We wouldnt be surprised to see this trend from many other companies in the next few days.
Sadly, passwords are still an extremely poor way of securing anything of value, a topic I explored last year. Back when we thought the sample size of stolen passwords was only a few million, the BBC released a list of the top 20 most common ones that were cracked and, sadly, the list was not much different than the most common passwords from 2012. All of this just points to the fact that the sooner we get to two-factor authentication, the better well be.
Source: Krebs on Security | Image courtesy of Krebs on Security