[David Strom's Web Informant] November 19. 2013: The widening Adobe breach

David Strom david at strom.com
Tue Nov 19 08:40:02 EST 2013


Web Informant, November 19. 2013: The widening Adobe breach

Like many of you, I heard last month about the Adobe breach and didn’t give
it much mindshare. Turns out things keep getting worse, and I was foolish
to ignore what happened. Mea culpa. Here is a catch-up column along with
lotsa links that go into further details, and why you should be worried.

When I first heard about it, I thought: I don’t have anything to worry
about. I am not a user of their products. And then I thought, so big deal:
a few emails and passwords released to the bad guys. Wrong, wrong and
wrong.

First of all, it now turns out there are 130 million email-password
combinations that can be used for all sorts of mischief. And my name is
most certainly in that list, mainly because somewhere along the line I did
register for something that Adobe now owns. So is yours in all probability.
The file includes both active members and inactive names. Who knew that
Adobe kept the inactive accounts around?

Second, security researchers have been data mining the list and have come
up with ways to figure out what the passwords are, so you can bet the bad
guys are actively downloading the list and doing the same. Because of the
large amount of data, it is fairly easy, based on the password hints which
are also part of the file, to crack the very weak methods (I hesitate to
call this encryption, because it almost like using a simple substitution
code) that Adobe used. One author has published the more popular passwords
that show up in the file: ‘123456’ seems to be one password that will never
go out of style, having shown up almost 2 million times!

Third, other site operators such as Facebook (how ironic!), Eventbrite and
even Diapers.com (yes, that is a real site) have already jumped in and sent
emails to their users warning them to change their account passwords. This
is  because there is a good chance that you used the same password to login
to their services. I got one of those emails but somehow deleted it unread
last week.Boo-hoo for me.

At least Adobe is asking you to change your account password when you do
finally check in. Thanks Adobe, that was a nice touch and the least that
you could do. How about making it easier to close your account too?

Finally, there is some chatter that credit card information also might be
stored as poorly as the passwords. I don’t think that I ever gave Adobe
this data but given the state of my memory, I can’t be sure.

So take the time to change your accounts with passwords that you might have
shared with Adobe, either by intent or by accident, before someone starts
using one of them for nefarious purposes. While you are changing things,
use a password manager and stronger passwords too.And you might want to audit
your Facebook, Twitter and LinkedIn accounts as I mention
here<http://strom.wordpress.com/2012/11/03/app-audit/>to ensure that
the apps that can access these accounts are still what you
wish.

The links to the numerous stories and specifics can be found here:

http://strom.wordpress.com/2013/11/19/adobe-breach/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.webinformant.tv/pipermail/webinformant_list.webinformant.tv/attachments/20131119/c87addc6/attachment-0002.html>


More information about the WebInformant mailing list