The Adobe Hack: are 150 million people really impacted?

Posted by Emory Kale

Adobe has  a lot to answer for. We've gone from 3 million to 130 million to 150 million possible accounts hacked. It's all out there for everyone to see on the interwebs. Were it not twee software applications, we'd probably sense more outrage. Right now, it's hard to fathom what the deal is and how far this travesty goes.

So, we statred with Adobe getting a security breach that resulted in 3 million accounts being compromised? It turned out that it could be 130 million accounts.

A guy called Jeremy Gosney revealed the extent of the hack  here on his post:

We do not (yet) have the keys Adobe used to encrypt the passwords of 130,324,429 users affected by their most recent breach. However, thanks to Adobe's selection of ECB mode and using the same key for every password, combined with a number of known plaintexts and the generosity of users who flat-out gave us their password in their password hint, this is not preventing us from presenting you with this list of the top 100 passwords selected by Adobe users.
 
While we are fairly confident in the accuracy of this list, we have no way to actually verify it right now. We don't have the keys, and Adobe is not letting any of the affected accounts log in until the owners reset their passwords. So, it is possible there is an error or two in here. Caveat emptor and such.

So, the company that creates the software that is used as a virtual standard for document management, PDF, has had, whatever the final tally is, a major breach. One of epic proportions. Almost insane in the level of access that was attained so simply.

There is an Adobe leak checker created here by rufo. Just enter your email address and see if your account was compromised.

However, the notion still remains that ultimately this breach of your Adobe account may not have a huge impact per se, but that if you, like most people, tend to use the same password across multiple online accounts, you are going to have to learn not to do that.

I mean, I'm supposed to hold close to 48 different passwords, in my case? This isn't going to happen realistically. I should have a certain level of trust in the people who hold my accounts and it shouldn't be all about me and my password making habits.

The real answer is that we need to have two-factor authentication as standard.  In two-factor authentication you need to have two of three things:

  • A password, PIN, or access code of some sort, or something that you have to know
  • A smartcard, a token, a dongle or some such thing, or something that you have to have
  • A fingerprint, iris scan, or something that is uniquely you

Someone hacks your password then, they still have to have one of the other things. It's not a cure all but it is a heck of a lot better than seeing your account hacked because a company made it easy for someone to get a hold of your password.