On October 3rd, Adobe announced a data breach which at the time they believed only affected 3 million accounts, however towards the end of October a database leaked that contained more than 150 million usernames and encrypted passwords.

The diverse customer base of Adobe is reflected in the database. In my analysis, I discovered 234,379 military and government email addresses, encrypted passwords and password hints in the compromised database.

Here is a chart of the breakdown by branch of just the military accounts exposed:

Addobe Data Breach Military Accounts

This is in addition to the more than 6,000 accounts from defense contractors such as Raytheon, Northrup Gruman, General Dynamics and BAE Systems we also found. Also, on the federal side, there were 433 FBI accounts, 82 NSA accounts and 5,000 NASA accounts compromised in the breach.

It should be noted that these passwords were not hashed, but instead used symmetric encryption employing the same key for all of the passwords, so it is assumed to only be a matter of time before the key is cracked and all of the passwords will be decrypted.

Although people usually think of Adobe as a brand associated with creativity software such as Photoshop, Illustrator and the like, it is also the developer of Acrobat – which is for the most part the de-facto PDF reader – and of server platforms like Coldfusion, both of which also had their source code stolen as part of this breach. These and other document management and communication tools are used by Fortune 500 companies and governments alike.

This breach at Adobe is much potentially damaging to national security than anyone from the company has acknowledged, and the repercussions could be tremendous should the attackers crack the weak encryption before these accounts are secured.

I Know Your Password

One of the particularly dangerous aspects of the Adobe data breach are the fact that the password hints are in plain text. Although attackers may not be able to decrypt a password (yet) one can make highly educated guesses, even if your record does not have a password hint.

If your password is even slightly common it can be discovered. With permission I was able to guess several passwords of users in the database, in one case I guessed the password was “oregon” by doing a search for the encrypted password with 1056 results along with hundreds of helpful hints by others who used the same password.

Example of password hints for users whose password is "oregon"

Looking at just a few samples of passwords that were used by military, government and defense contractors the majority used were common passwords. It was also easy in many cases once a business/work email was established to identify home email accounts as they had similar user names, the same password just with a different domain from a free email provider like Gmail, Yahoo etc.

We have just started to see the implications of this data breach and the other shoe is about to drop…in fact I anticipate it will be raining shoes over the next few months.

Related Articles:

 

P.S. Have you met John Powers, supernatural CISO?

Categories: ,

Tags: , , , , , , , , , , , , , , ,


Ken Westin

Ken Westin has contributed 110 posts to The State of Security.

View all posts by Ken Westin >