Security News: Adobe Accounts Hacked

John CraftsInformational Blog, Web Security Blog

Last month, hackers got into Adobe servers and released a list of 130 million (and growing) user logins and passwords. These accounts, some active and some inactive, were linked to Adobe products, credit card information, personal names and addresses and a multitude of other customer information.

Jeremi Gosney with “Stricture Consulting Group” analysed the password and user information and found that a very large percentage of the people that use Adobe were not using strong enough passwords; ones so weak in fact that they could be easily guessed by anyone. The top 10 passwords used were:

  • “123456”
  • “123456789”
  • “password”
  • “adobe123”
  • “12345678”
  • “qwerty”
  • “1234567”
  • “111111”
  • “photoshop”
  • “123123”
  • “1234567890”
  • “000000”
  • “abc123”
  • “1234”
  • “adobe1”
  • “macromedia”
  • “azerty”
  • “iloveyou”
  • “aaaaaa”
  • “654321”

While Adobe is clearing stuff up on their end, how do you know if your account was on the list? And if so, what can you do about it?

1. CHECK IF YOU ARE ON THE LIST

The first step would be to check if you were on the list of compromised accounts. LastPass, the company that helped release tools during the LinkedIn and eHarmony compromises, just released a new webapp that checks if your account was on the list, it’s as simple as typing in your email address and pressing “TEST MY EMAIL”.

2. CALL YOUR BANK

Due to the fact that many Adobe accounts are also linked with banking and credit information (to purchase the products) it would be a good idea to call your bank and see if there have been any weird transactions recently, especially if you are one of those with credit information attached to your account.

3. CHANGE YOUR ADOBE PASSWORD

The next step would be to log into Adobe’s website and change your password.

4. CHANGE YOUR OTHER PASSWORDS

Is the password you used for your Adobe account the same you use for everything? If so it’s time to change that password for all of your accounts, ESPECIALLY IF THAT EMAIL ADDRESS IS THE LOGIN EMAIL FOR MANY OTHER ACCOUNTS WITH THE SAME PASSWORD. The reason being is that since this list of emails and passwords are all public, hackers will be adding these to their lists of passwords and usernames to when performing “brute force attacks” or other automated attacks.

All in all, Adobe made a few mistakes but are quickly working to fix everything with the help of FirstPass, law enforcement and many others.

One of the most interesting pull aways from this attack is the sheer amount of password/username analysis that was done with the list, which really showed how weak most people’s passwords were. It is probably the easiest of all security tips, yet the one that fails the most.

One trick I use to remember passwords, while also keeping them complex and different for every account is the sentence technique. I will think of a sentence, say for example that sence is “Bob Dole Loves To Talk To Bob Dole” I would take the first letter of each word (sometimes replacing words like to and for, with their numeric equivalent) in the sentence to craft the password, which would end up being “BDl2t2BD!”. This technique allows me to remember a weird password that contains upper and lower case characters, with numbers and punctuation by only remembering that simple sentence.

Another trick I have used would be the unrelated word technique. To do this, think of 3 or 4 full words and make your password that. For example: “yellowbananacowboyparachute”. Remember that this technique will sometimes not work depending on the website, because some sites force you to use capitals/numbers/punctuation while others sometimes limit the amount of characters used, however this password is still very difficult to crack with any traditional method.

John