Cygilant Blog

Facts About the Adobe Data Breach

Posted by Security Steve on Nov 25, 2013


Last month, Adobe Systems Inc. announced that hackers cracked into its network and gained access to sensitive personal information (credit card numbers, social security numbers, etc.) pertaining to 2.9 million customers. A few weeks later, they upped that 2.9 million to a whopping 38 million. By early November, it was known without a smidgen of doubt that over 150 accounts had been affected by the Adobe data breach.

 

How Was It Discovered?

About a week prior to the data breach announcement, security journalist Brian Krebs and security expert Alex Holden discovered 40GB of stolen source content on a known criminal server. The server is believed to have been used by the same hackers involved in the LexisNexis, Dun & Bradstreet and Kroll data breach incidents as well. The team immediately informed Adobe, and a week later, the whole world knew.

 

What Are The Implications?

It’s important to understand how the hackers obtained the data. What they actually accessed and stole from Adobe were troves of source code files for a bevy of prominent Adobe titles used by millions upon millions of customers. 

  • Acrobat
  • Flash 
  • Photoshop
  • Fireworks
  • Coldfusion
  • Etc.

 By studying gigabytes of this source code, they were able to identify and exploit weaknesses in these software suites. This in turn permitted them to gain access to 150 usernames and passwords. To understand the implications of this data breach, one need only heed the words of Alex Holden:

 

"[This data breach is] one of the worst in U.S. history because the source code of an end user product such as Adobe Reader and Adobe Publisher was breached and leaked. This allows additional attack vectors to be discovered and viruses to be written for which there are no defenses."

 

What Have Been The Repercussions?

As of mid-November, repercussions from this data breach are still being felt by not only Adobe and its customers, but by numerous other entities.

 

For one, Facebook began warning its users about potential threats to their accounts. Why? Many of them used the exact same password on their FB accounts as they used on their Adobe accounts. Users of Diapers.com also unfortunately fell victim, as the company recently notified many of them them that they had to reset their passwords right away. Again, it was a case of users utilizing the same password twice.

 

How Should IT Professionals Respond?

A question still remains — how exactly did the hackers involved in this data breach obtain the previously mentioned source code? They obtained it by exploiting three serious mistakes that Adobe’s IT professionals made.

 

The first mistake they made was encrypting every single one of their passwords with the same key. That is an obvious no, no that every IT professional with any common sense ought to avoid.

 

The second mistake they made was utilizing an insecure encryption method known as ECB mode. With this method, equal passwords wind up looking the exact same when encrypted. This makes it that much easier for criminals to crack them.

 

The last and possibly most pathetic mistake they made was not encrypting the password hints.

 

What Are The Lessons To Be Learned?

There are three primary lessons to be learned from this data breach.

  1. Obviously, customers need to be reminded to not use the same password twice.
  2. Secondly, customers ought to be forced to choose long and complex passwords.
  3. Finally, but perhaps most importantly, IT professionals must opt to never be lazy about security, because ultimately, this colossal data breach came about not per the ingenuity of hackers, but because of the lazy inactions of the IT professionals at Adobe.

Request Demo

Most Recent Posts

Subscribe to the Cygilant Newsletter