On October 3rd, Adobe announced a data breach which at the time they believed only affected 3 million accounts, however towards the end of October a database leaked that contained more than 150 million usernames and encrypted passwords.
The diverse customer base of Adobe is reflected in the database. In my analysis, I discovered 234,379 military and government email addresses, encrypted passwords and password hints in the compromised database.
Here is a chart of the breakdown by branch of just the military accounts exposed:
This is in addition to the more than 6,000 accounts from defense contractors such as Raytheon, Northrup Gruman, General Dynamics and BAE Systems we also found. Also, on the federal side, there were 433 FBI accounts, 82 NSA accounts and 5,000 NASA accounts compromised in the breach.
It should be noted that these passwords were not hashed, but instead used symmetric encryption employing the same key for all of the passwords, so it is assumed to only be a matter of time before the key is cracked and all of the passwords will be decrypted.
Although people usually think of Adobe as a brand associated with creativity software such as Photoshop, Illustrator and the like, it is also the developer of Acrobat – which is for the most part the de-facto PDF reader – and of server platforms like Coldfusion, both of which also had their source code stolen as part of this breach. These and other document management and communication tools are used by Fortune 500 companies and governments alike.
This breach at Adobe is much potentially damaging to national security than anyone from the company has acknowledged, and the repercussions could be tremendous should the attackers crack the weak encryption before these accounts are secured.
I Know Your Password
One of the particularly dangerous aspects of the Adobe data breach are the fact that the password hints are in plain text. Although attackers may not be able to decrypt a password (yet) one can make highly educated guesses, even if your record does not have a password hint.
If your password is even slightly common it can be discovered. With permission I was able to guess several passwords of users in the database, in one case I guessed the password was “oregon” by doing a search for the encrypted password with 1056 results along with hundreds of helpful hints by others who used the same password.
Looking at just a few samples of passwords that were used by military, government and defense contractors the majority used were common passwords. It was also easy in many cases once a business/work email was established to identify home email accounts as they had similar user names, the same password just with a different domain from a free email provider like Gmail, Yahoo etc.
We have just started to see the implications of this data breach and the other shoe is about to drop…in fact I anticipate it will be raining shoes over the next few months.
- Security is a Process, Not a Destination: Have You Given It Your All?
- Give Me the Finger – Biometrics, That Is…
- Startup Security: Minimum Viable Product Shouldn’t Mean Minimum Security
- Securing WordPress: Hardening Basics
P.S. Have you met John Powers, supernatural CISO?