November 4, 2013
Adobe Breach Worse than Previously Disclosed
Early in October, Adobe had suffered a massive data breach. The data breach exposed the personal information of millions of customers and the source code of famous Adobe products like Adobe Acrobat, Cold Fusion, and others. The attackers managed to access customer names, IDs, encrypted credit card and debit card numbers, expiry dates and other details. Initially it was estimated that the data of about 2.9 million users were accessed during the breach. However, according to a report by Krebs on Security, the security breach has impacted personal and sensitive data of approximately 38 million accounts. Journalist Brian Krebs and Alex Holden of Hold security found out a huge file named “users.tar.gz” on AnonNews.org, that appears to have included more that 150 million username and hash password pairs taken from Adobe. The 3.8 GB file appeared to be the same one they had found on the server with the other data stolen from Adobe.
Adobe’s spokesperson Heather Edell, confirmed that the breach affected about 38 million active users. Edell said Adobe believes that the attackers managed to access many invalid Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data. She also mentioned that Adobe has finished informing the affected active users and is working on contacting inactive users.
“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users. We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident—regardless of whether those users are active or not. We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident… Our notification to inactive users is ongoing.”
The security investigations of Krebs on Security and Hold Security claims that the hackers stole the source code of Adobe products such as Photoshop, Acrobat, and Reader. Adobe confessed that some of the Photoshop source code was stolen. Hold Security suggested that the source code theft could have far-reaching security implications. “While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data,” the firm wrote. “Effectively, this breach may have opened a gateway for new generation of viruses, malware, and exploits.
Adobe has released a help document for the affected users. Adobe encourages the affected users to change their passwords if they receive an email notification from Adobe. The users are recommended to user different passwords for different Adobe services. As a precaution, they should also change their password on any website where they may have used the same user ID and password as their Adobe ID and password.
Lessons learnt from the Adobe security breach:
- Companies must protect the keys used to perform encryption for protecting sensitive user data. Although the keys have become longer and harder to crack over the years, but there are still some issues regarding secure management of keys. Most of the times it is seen that companies leave their keys on the server near the data they are protecting. As a result it becomes easier for the attacker to access the keys, if they break into the server containing sensitive user data.
- Similarly, weak random number generators can also be broken used to generate an encryption can also be broken these days by connecting the computing power of a few regular PCs into a cloud-based type of bootleg supercomputer.
- As a customer you can keep your data safe by using strong and hard to crack passwords. You should always use passwords at least 8 –digit long and a combination of letters, numbers and special characters. Also change your passwords frequently. Use different passwords for different web services for better security. Tomorrow, we’ll be featuring an article on secure password management, featuring a great video from SpiderOak.
SpiderOak Blue for Enterprises:
Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You cansignup for this product now.
SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOakBlue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.