Just How Bad Is The Adobe Hack?
In case you haven’t heard, Adobe’s servers were hacked. Just how bad was it? Here’s a mediocre infographic I created, with more details beneath it.
The scope of the hack is breathtaking. The compromised user list has been publicly leaked onto the internet, in the form of a 10 GB text file. 150 million email addresses, 130 million encrypted passwords, and password hints. While it’s good that the passwords are all encrypted, the encryption was done using a reversible algorithm with a single key. In other words, once someone finds a way to crack just a single one of those passwords, ALL of them will be decrypted. I feel bad for the person who’s password is their initials and SSN.
Even without the passwords being cracked, this is still REALLY BAD NEWS for the average Adobe user. Let me give you an example. I took a random email address from the database and noted the unencrypted password hint: “son’s name and bday.” A quick Google search for the email address revealed that it belongs to a mom who runs a public online forum. Her real name, hometown, and pictures of her family and pets are all available on this forum. Searching for her real name and hometown got me her home address and phone number.
I chose to drop the search here, but if I had malicious intent, I could have easily continued on to find her social media accounts and attempted to brute-force a login using her son’s name and various date combinations for his birthday. Most people use the same password on multiple services, so it’s an easy way for criminals to gain access to multiple accounts.
Are you an Adobe customer? Where else do you use that email address? Where else have you used that password? I cannot emphasize strongly enough that you need to go change all those passwords immediately.
I’m currently toying around with making a tool that will let you see if your email address was exposed by the Adobe hack. If I have time this weekend, I’ll see if I can get it online.