Like many of you, I heard last month about the Adobe breach and didn’t give it much mindshare. Turns out things keep getting worse, and I was foolish to ignore what happened. Mea culpa. Here is a catch-up column along with lotsa links that go into further details, and why you should be worried.
When I first heard about it, I thought: I don’t have anything to worry about. I am not a user of their products. And then I thought, so big deal: a few emails and passwords released to the bad guys. Wrong, wrong and wrong.
First of all, it now turns out there are 130 million email-password combinations that can be used for all sorts of mischief. And my name is most certainly in that list, mainly because somewhere along the line I did register for something that Adobe now owns. So is yours in all probability. The file includes both active members and inactive names. Who knew that Adobe kept the inactive accounts around?
Second, security researchers have been data mining the list and have come up with ways to figure out what the passwords are, so you can bet the bad guys are actively downloading the list and doing the same. Because of the large amount of data, it is fairly easy, based on the password hints which are also part of the file, to crack the very weak methods (I hesitate to call this encryption, because it almost like using a simple substitution code) that Adobe used. One author has published the more popular passwords that show up in the file: ‘123456’ seems to be one password that will never go out of style, having shown up almost 2 million times!
Third, other site operators such as Facebook (how ironic!), Eventbrite and even Diapers.com (yes, that is a real site) have already jumped in and sent emails to their users warning them to change their account passwords. This is because there is a good chance that you used the same password to login to their services. I got one of those emails but somehow deleted it unread last week.Boo-hoo for me.
At least Adobe is asking you to change your account password when you do finally check in. Thanks Adobe, that was a nice touch and the least that you could do..
Finally, there is some chatter that credit card information also might be stored as poorly as the passwords. I don’t think that I ever gave Adobe this data but given the state of my memory, I can’t be sure.
So take the time to change your accounts with passwords that you might have shared with Adobe, either by intent or by accident, before someone starts using one of them for nefarious purposes. While you are changing things, use a password manager and stronger passwords too. And you might want to audit your Facebook, Twitter and LinkedIn accounts as I mention here to ensure that the apps that can access these accounts are still what you wish.
The links to the numerous stories and specifics can be found below:
- The Sophos guys go under the covers and give the best technical information
- Krebs mentions why Facebook is getting involved
- Top 100 most often used passwords in the file
- Diapers.com gets into the fray
- How you can be targeted by the bad guys
- Even XKCD comic has made fun of Adobe
- The latest from the New York Times