Adobe suffered a data breach in early October compromising the account information of as many as 150 million Adobe accounts. Although the passwords were hashed, email addresses and password hints were not, and with the data posted in fraudster forums many other online organizations may see the effects of this breach. Several companies, including Facebook, are taking a more proactive approach by mining the breached record database and forcing users with the same email and password to set a new one.
Adobe first announced the data breach on October 3rd estimating that it impacted 3 million Adobe accountholders. However, later that month Adobe revised this estimate to 38 million while in November an independent investigator obtained the database that was posted in cyber-criminal forums claiming it to have over 150 million records. Adobe stands by their 38 million compromised records estimate stating that the larger data set posted online includes invalid, inactive and test account Adobe IDs. Adobe has notified the 38 million they know to be impacted and has reset their passwords.
But details from the data breach don’t bode well for Adobe or consumers in general, who continue to use and reuse weak passwords. When Adobe first announced the breach they believed the credit card data for nearly 3 million customers was compromised, but later discovered that 38 million accounts had their emails and encrypted passwords compromised. The passwords were hashed, but the accompanying email address and password hints were in plain text. In addition to the consumer records attackers were also able to obtain source code to major Adobe products Acrobat, ColdFusion and ColdFusion Builder.
The 38 million affected users include active Adobe accounts from Acrobat, PhotoShop, CreativeCloud and other service users. However, millions of inactive Adobe accounts were also compromised comprising some of the 150 million accounts included in the database fraudsters are sharing. Adobe quickly suspended the inactive accounts and forced password resets for the active accounts before users could access them, but a large number of people with compromised information may not have been active users for several years. This has since initiated conversation between consumer privacy activists, security experts and companies asking “How long should companies store data from closed or inactive accounts?”
It is common for fraudsters to not only use the compromised consumer account information against the organization that suffered the data breach, but also against other organizations and websites where consumers may be reusing the same email address and password. Given the size of the Adobe data breach, several companies have taken a more proactive approach to stop unauthorized account access. Most notably, Facebook mined the compromised Adobe account records identifying email and password combinations that were also used on the social networking site. These users were warned that a security incident unrelated to Facebook puts their account at risk because they are using the same password in both places, then requires the users answer security questions and reset their password to access their account. Online retailers Diapers.com and Soap.com, both owned by Amazon, took similar measures.
Analysis of the most used passwords from the compromised Adobe account data show it is important for companies unaffected by a data breach to still take password security seriously. The top five passwords in the compromised 150 million records were 123456, used by 1.9 million accounts, 123456789, password, and adobe123. Others in the top twenty most used were photoshop, macromedia, adobe1 and qwerty.
For more information: