Posts Tagged: Adobe breach


11
Mar 14

KrebsOnSecurity.com Wins Awards

mlaIn February, this blog and its author were recognized for three separate awards. At the RSA Security conference in San Francisco, KrebsOnSecurity.com was voted the “Most Educational Security Blog” at the Security Bloggers Meetup (for the second year in a row). The judges at the meetup also gave KrebsOnSecurity.com the honor of the “Best Blog Post of the Year,” for my reporting on the Adobe breach.

Separately, I am honored to have received the Mary Litynsky Award for Protecting the Online Community, a lifetime achievement recognition given by the Messaging, Malware and Mobile Anti-Abuse Working Group. M3AAWG’s announcement about the award is here. Past recipients of this award are listed here.


11
Nov 13

Facebook Warns Users After Adobe Breach

Facebook is mining data leaked from the recent breach at Adobe in an effort to help its users better secure their accounts. Facebook users who used the same email and password combinations at both Facebook and Adobe’s site are being asked to change their password and to answer some additional security questions.

Message that Facebook has been sending to certain users whose information was found in the stolen Adobe user data.

Message that Facebook has been sending to certain users whose information was found in the stolen Adobe data.

Facebook spokesman Jay Nancarrow said Facebook is constantly on the lookout for data leaked from other breach incidents that may endanger accounts of its own users. Nancarrow said that the social networking service has similarly acted in the wake of other high profile breaches to determine if any of its own users’ credentials may have been affected.

“We actively look for situations where the accounts of people who use Facebook could be at risk—even if the threat is external to our service,” said Nancarrow, who declined to say exactly how many Facebook users were seeing the above message. “When we find these situations, we present messages like the one in the screenshot to help affected people secure their accounts.”

In a breach first announced on this blog Oct. 3, 2013, Adobe said hackers had stolen nearly 3 million encrypted customer credit card records, as well as login data for an undetermined number of Adobe user accounts. Earlier this month, Adobe said it had actually notified more than 38 million users that their encrypted account data may have been compromised. But as first reported here on Oct. 29, the breach may have impacted closer to 150 million Adobe users.

What’s more, experts say Adobe appears to have used a single encryption key to scramble all of the leaked user credentials, meaning that anyone who computes, guesses or acquires the decryption key immediately gets access to all the passwords in the database. In a detailed analysis of the enormity of Adobe’s blunder, Paul Ducklin of Sophos describes how researchers managed to work out a decent chunk of the encrypted user passwords just by comparing the leaked data to other large password breaches and to password hint information included in the Adobe account cache.

Update, 2:07 p.m. ET: Looks like Diapers.com and Soap.com sent similar notices to their customers on Sunday. A hit tip to readers Arthur and Dave for sharing copies of the emails from those two sites.

Update, Nov. 12, 4:07 p.m. ET: The initial story seems to have confused a number of readers, perhaps because I left out an explanation of what exactly Facebook did. As a result, many readers seem to have hastily and erroneously concluded that Facebook doesn’t properly secure its users passwords if it can simply compare them in plain text to the Adobe passwords that have already been worked out.

As I proffered in a follow-up comment on this story, Facebook and any other company can take any of the Adobe passwords that have already been guessed or figured out and simply hash those passwords with whatever one-way hashing mechanism(s) they use internally. After that, it’s just a matter of finding any overlapping email addresses that use the same password. Facebook’s Chris Long confirmed that this is more less what the company did.


29
Oct 13

Adobe Breach Impacted At Least 38 Million Users

The recent data breach at Adobe that exposed user account information and prompted a flurry of password reset emails impacted at least 38 million users, the company now says. It also appears that the already massive source code leak at Adobe is broadening to include the company’s Photoshop family of graphical design products.

A posting on anonnews.org that was later deleted.

A posting on anonnews.org that was later deleted.

In a breach first announced on this blog Oct. 3, 2013, Adobe said hackers had stolen nearly 3 million encrypted customer credit card records, as well as login data for an undetermined number of Adobe user accounts.

At the time, a massive trove of stolen Adobe account data viewed by KrebsOnSecurity indicated that — in addition to the credit card records — tens of millions of user accounts across various Adobe online properties may have been compromised in the break-in. It was difficult to fully examine many of the files on the hackers’ server that housed the stolen source because many of the directories were password protected, and Adobe was reluctant to speculate on the number of users potentially impacted.

But just this past weekend, AnonNews.org posted a huge file called “users.tar.gz” that appears to include more than 150 million username and hashed password pairs taken from Adobe. The 3.8 GB file looks to be the same one Hold Security CISO Alex Holden and I found on the server with the other data stolen from Adobe.

Adobe spokesperson Heather Edell said the company has just completed a campaign to contact active users whose user IDs with valid, encrypted password information was stolen, urging those users to reset their passwords. She said Adobe has no indication that there has been any unauthorized activity on any Adobe ID involved in the incident.

“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users,” Edell said [emphasis added]. “We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident—regardless of whether those users are active or not.”

Edell said Adobe believes that the attackers also obtained access to many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data. “We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident,” she wrote in an email. “Our notification to inactive users is ongoing.”

Part of the Adobe breach involved the theft of source code for Adobe Acrobat and Reader, as well as its ColdFusion Web application platform. Among the cache was a 2.56 GB-sized file called ph1.tar.gz, but KrebsOnSecurity and Hold Security were unable to crack the password on the archive. Over this past weekend, AnonNews.org posted a file by the same name and size that was not password protected, and appeared to be source code for Adobe Photoshop.

Asked about the AnonNews posting’s similarities to the leaked source code troves discovered by this publication in late September, Adobe’s Edell said indeed that it appears the intruders got at least some of the Photoshop source code. In both cases, Adobe said it contacted the sites hosting the data linked to from the AnonNews postings and had the information taken down.

“Our investigation to date indicates that a portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on Oct. 3,” Edell wrote.

Continue reading →