Revisiting the Adobe Password Breach and the Risk to Your Network

By John Carruthers ·

Although the Adobe password breach happened back in October 2013, organizations could still be vulnerable from the data leaked in the attack. The breach data holds three fields that are of value to the attacker: email address, encrypted password and the (unencrypted) password hint the user set. Of the 153 million records leaked, over 130 million contain non-empty passwords, and 56 million are unique.

How an Attacker Uses the Breach Data

Although Adobe did encrypt their passwords with 3DES, an attacker can still glean the plaintext.

Step 1) The attacker searches for companies of interest using the domain name in the email address. In this example, the attacker identifies yourcompany.com.

Step 2) The attacker searches for every password that matches from the entire database. Below, our attacker finds six accounts that all have the same password.

Step 3) The attacker can now see every user’s hint for that one encrypted password. After a bit of thinking, the attacker could guess what the password was. In this example, it is most likely Marilyn, although it may or may not be capitalized.

Using this methodology, the vulnerability to your organization lies in the following weakness:

  • The compromised account still exists on your network.
  • The user sets the same password for Adobe and your company’s internal infrastructure.
  • The attacker has a way to log into externally facing web applications such as email, corporate VPN, ftp, etc.

The attacker could also use the information as inside knowledge while engaging in social engineering campaign.

Recommendations

Although Adobe’s done a good job in their response to the breach, issuing notifications to each email address contained in the leak, it would be up to each user in your organization to receive that email, read and understand that email and comply with instructions on changing passwords. A user that already engages in password reuse will most likely not comply with these instructions.

Two things you can do immediately to secure your organization:

  • 1.  Download and review the leaked data for any accounts using your company domain names. Once they are found, ensure the user resets their password.
  • 2.  Deploy a two-factor authentication system for externally accessible systems such as email and VPN.