How Adobe’s Messy Password Breach Can Spill to Sites Like Diapers.com
The epic blunder that led to the publication of more than 130 million encrypted Adobe passwords is generating security alerts at some unlikely websites now that researchers have figured out how to decrypt significant portions of the massive trove.
Members of Facebook’s security team have already combed through the cache to identify users who used the same login credentials on both the Adobe and Facebook sites, and in some cases they have mandated password resets based on that analysis, KrebsonSecurity’s Brian Krebs reported. A spokesman told him it was a routine measure Facebook employees take to safeguard user accounts following big breaches.
Indeed, the practice makes sense. Adobe’s use of reversible cryptography using a semi-transparent encryption mode has allowed researchers to decipher a large number of passcodes. Last week, password security expert Jeremi Gosney published a list of the top 100 Adobe passwords, and as usual, it was topped by dogs such as “123456”, “123456789”, and “password”. If the credentials are this easy for whitehats to come by, there’s nothing stopping blackhats from doing even better since they have so much more to gain. Armed with a user e-mail and corresponding Adobe password, they’re free to try the combination to hijack accounts on other sites and then use them in spam and phishing campaigns, along with other fraudulent schemes.