Adobe confirms stolen passwords were encrypted, not hashed

System hit was not protected by traditional best practices, used 3DES instead

Researchers have revealed, and Adobe has confirmed, that the millions passwords stolen during the breach in October were not originally stored according to industry best practices. Instead of being hashed, the passwords were encrypted, which could make things a little easier for those looking to crack them.

[Source code and 2.9 million accounts raided by attackers in Adobe breach]

In a statement to CSO, confirming details revealed by Ars Technica on Friday, Adobe says that the passwords stolen during the breach in October were not hashed as originally assumed by many, but they were encrypted, meaning that Adobe engineers were (at one time) not following best practices when it comes to passwords.

For password storage and protection, the general best practice is to use an algorithm designed for password protection, the top options being bcrypt, scrypt, PBKDF2, or SHA-2. The reason for using such algorithms for password protection is the fact that, when implemented, they make brute-force cracking attempts nearly impossible. The difficulty is compounded when they are hashed with a long, per-user salt -- creating what is commonly known as a salted hash. In fact, when passwords are not properly hashed, any organization being graded against the OWASP Top 10 will immediately run afoul of item A6, Sensitive Data Exposure.

Adobe says that they've followed best practices for password storage and protection for more than a year now, as their authentication systems were upgraded to use SHA-256, with salt, to protect customer passwords. However, this upgraded system was not what the attackers hit.

"This system was not the subject of the attack we publicly disclosed on October 3, 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored," Adobe spokesperson, Heather Edell told CSO.

The use of Triple DES (3DES) to protect passwords goes against traditional best practices, because depending on how the passwords are encrypted, if an attacker can guess the keys, the passwords can and will be recovered. However, attacking 3DES directly isn't easy. So while Adobe's methods haven't made things terribly convenient for those attempting to crack the stolen list of passwords, they haven't made it impossible either.

[Stolen Adobe account data goes public, Photoshop source code breached]

Already, passive examinations of the list with more than 130 million Adobe accounts has turned out some interesting data. Jeremi Gosney, from Stricture Consulting Group, was able to compile a Top 100 list of common passwords due to several key bits of data.

"We do not (yet) have the keys Adobe used to encrypt the passwords of 130,324,429 users affected by their most recent breach. However, thanks to Adobe choosing symmetric key encryption over hashing, selecting ECB mode, and using the same key for every password, combined with a large number of known plaintexts and the generosity of users who flat-out gave us their password in their password hint, this is not preventing us from presenting you with this list of the top 100 passwords selected by Adobe users," Gosney wrote.

According to the Top 100 list, nearly 1.9 million accounts used '123456' as their password, with more than 440,000 accounts opting to go with '123456789' instead. After that, 'password,' 'adobe123,' and '12345678,' rounded out the top five.

Based on the list, many of the accounts exposed during the breach likely used a throwaway password, on the basis that their Adobe account wasn't important. However, people are creatures of habit, and the fear is that password recycling could be an issue given that email addresses were also exposed.

If you'd like to check and see if your email address is in the list of compromised Adobe data currently circulating online, you can go here to do so. As a rule, if your email was exposed, change your passwords and be skeptical of any communications referencing the Adobe breach.

Join the CSO newsletter!

Error: Please check your email address.

Tags Adobe Systemssecuritydata breachAccess control and authentication

More about Adobe SystemsCSOExposure

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place