Adobe investigates alleged customer data breach

The information, published on Tuesday on Pastebin, includes hashed passwords, names and email addressses
  • Jeremy Kirk (IDG News Service)
  • — 14 November, 2012 03:36

Adobe said Wednesday it is investigating the release of 230 names, email addresses and encrypted passwords claimed to have been stolen from a company database.

The information was released on Tuesday on Pastebin by a self-proclaimed Egyptian hacker named "ViruS_HimA." The hacker, who claimed the database accessed holds more than 150,000 records, posted links to several websites hosting a text file with 230 records.

"We have seen the claim and are investigating," said Wiebke Lips, senior manager with Adobe's corporate communications.

The hacker only released records with email addresses ending in "adobe.com," ".mil" and ".gov."

A look at the 230 records showed the full names, titles, organizations, email addresses, usernames and encrypted passwords of users in a variety of U.S. government agencies, including the departments of Transportation and Homeland Security, the U.S. State Department, the Federal Aviation Administration and state-level agencies, among others.

The published passwords are MD5 hashes, or cryptographic representations, of the actual plain-text passwords. It's a good security practice to only store hashes rather than the plain-text passwords, but those hashes can be converted back to their original state using free password-cracking tools and enough computing power.

Shorter passwords are easier to crack, especially if they contain no special characters and are, for example, just a word composed of lower-case letters. Many MD5 hashes that have already been reversed are available in lists freely available on the internet.

Some of the MD5 hashes released in the text file revealed simple passwords. That's particularly dangerous given that people tend to reuse passwords for other services. Hackers will typically try to use stolen credentials on sites such as Facebook and Twitter to see if they're valid.

Given that the data released on Tuesday includes names and organizations, hackers could act fast in an attempt to steal other information.

An email request for an interview with ViruS_HimA wasn't immediately returned. The hacker wrote there's another data leak soon to be released from Yahoo.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Tags: security, Adobe Systems, data breach

Confirmed: hackers can use Heartbleed to steal private SSL keys

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Sophos Mobile Control

Data protection, policy compliance and device control for mobile devices

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.