Adobe had a HUGE password leak recently. How do you know if YOUR password was compromised? Well, you now have an email address checker that can tell you, it is at: https://adobe.cynic.al
Find out if you have been owned!
Did your Adobe password leak? Now you and 150m others can check
The Guardian – “Nearly 150 million people have been affected by a loss of customer data by Adobe, over 20 times more than the company admitted in its initial statement last week.
Owing to the proliferation of Adobe products in use throughout the world, from the Flash browser plugin, to the Acrobat software used to create PDFs, to the AIR framework used to make software like Tweetdeck and the BBC iPlayer desktop application, many users have Adobe accounts which they have since forgotten about (including 50% of the Guardian technology desk).
Using https://adobe.cynic.al, a tool created by programmer @Hilare_Belloc, users can check if their email address was included in the 10GB database leaked last week. If it isn’t, then they are safe, but if it is, then they need to seriously check whether they reused the password anywhere else – because it is as good as revealed.
Encryption error
As well as allowing the data to be stolen in the first place, Adobe made two other serious errors when storing the data. Firstly, it encrypted all the passwords with the same key; secondly, the encryption used a method which renders the encrypted data insecure.
The method, called ECB mode, means that every identical password also looks identical when encrypted. So if the database shows 1.9 million people whose password, when encrypted, reads ‘EQ7fIpT7i/Q’, then researchers know that they all have the same password. From there, they can look at the password hints, which Adobe didn’t encrypt at all, to try and guess what the password might be.
In this example, the hints include ‘numbers’, ’12’, ‘654321’ and ‘123456’. That last one is most likely the password itself; and so the 1.9m who used 123456 as their password have had it compromised.
There is no simple way to reverse the encryption, but “brute force” attacks can sometimes figure out what the key used to encrypt them is. That would mean that attackers would have a colossal store of emails and passwords which they could test on other sites around the web.
So even if a user’s password is unique, and the hint means something only to them, they should still consider their data at risk.
‘Clearly those users who chose longer, more complex passwords will be less at risk than those who chose common dictionary words or the most commonly chosen passwords,’ says Graham Cluley, a security consultant. ‘[But] let’s not forget that the hackers gained access to Adobe’s systems and stole product source code as well as the database. It’s quite possible that they also stole the keys that Adobe was using on its database – and so could have already unlocked the information.’
‘If your Adobe password is compromised, that possibly won’t have a huge impact on your online life. But if that same password is being used elsewhere on the net (and sadly, we know that many people use the same password for multiple websites) then the consequences could be significant.’
Ultimately, the leak is just the latest reminder of the risks of re-using passwords. ‘I think it would be best for people [affected] to change their passwords – and, if they were re-using them, to learn the lesson never to re-use passwords again.
‘You should never use the same password on multiple websites.'”