According to the post mortem of the attack it appears that Adobe was sing a very week form of password encryption called MD5. MD5 was broken way back in 1993 and although there have been a few updates to MD5 to help prolong its life even the original author has been telling people to stop using it. You would think that Adobe would have learned from the breach of LinkedIn and others that were still using MD5 and updated their password protection algorithm. However, things get worse from there. Adobe seems to have followed more than just the trend of using MD5; they also did not salt any of the passwords as an extra precaution to protect their users.
At the time of this writing 644 of a total of 150,000 registered users passwords have been leaked to show the validity of the hack. Of the 644 released the majority were exceptionally simple passwords like “welcome”, “123456” and other very week passwords. Adobe has said they have changed the passwords of the 644 names that were released, but that does not cover the remaining 149,356 users whose passwords might be compromised. Security researchers at Imperva further claim that the list of user names is mostly former Adobe employees; this suggests that the hacked database is old.
Now while this is entirely possible we have to wonder why Adobe would close down the entire forum is this was simply an old database containing a list of former Employees. You typically do not close up show because an old storage shed gets broken into. We suspect that there is more to this breach that Adobe and others are letting on right now. There is the question of how the breach was performed and also why Adobe was using such weak and insecure methods to protect user passwords. Unless we have missed our guess Adobe is using the down time to not only upgrade their systems (in the same way that LinkedIn did), but also to make sure that ViruS_HimA did not leave anything behind to allow him access into the system at a future date. Adobe must also validate their claim that other services were not affected which can be tricky into today’s world globally distributed systems.
The Adobe breach hammers home a fact that we have been talking about for some time. Cloud or internet based systems are vulnerable to attack and even more so when companies refuse to update systems to ensure the protection of their users. MD5 is known to be weak it was broken almost 10 years ago, yet Adobe was still using is and did not even try to add extra protection by salting the passwords. Why was this allowed to continue this way after LinkedIn, Last.FM, and other sites were hacked using the same weak protection? Our guess would be money; Adobe did not want to spend the money it would take to proactively fix the problem. Instead they hoped that they would never have to deal with it and maintained a “we will fix it when it gets broken” mentality that is, unfortunately, all too common in cloud or hosted services. This is the type of mentality behind many cloud services on the market; you know the same ones that want you to trust them with your data and personal information…
Tell us your thoughts on the Adobe breach in our Forum