Security firm says still more Adobe users are at risk


Credit: Thinkstock

Password security firm LastPass said it has found data including email addresses, encrypted passwords and password hints for 152 million users of Adobe(s adbe) Systems software — stored on an underground website.

This is still more fallout from a data security breach that Adobe acknowledged in early October, after it was discovered by security specialist KrebsOnSecurity. Initially, Adobe estimated data of about 2.9 million users of Acrobat, Acrobat Reader, and Cold Fusion was affected but later in the month it upped that number to 38 million and added PhotoShop to the list of affected software packages.

LastPass said what it found shows that still more users  than that were impacted. An Adobe spokeswoman told Reuters it would be inaccurate to say 152 million accounts were compromised “because the database attacked was a backup system about to be decommissioned” and that many of those accounts were actually fictitious, set up for one-time use to give their creators access to free software.

It’s probably worth noting that LastPass offers a password management product. The first thing Adobe customers were told to do was to change their passwords.


Bob Hobson

One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags let someone who finds your lost stuff contact you directly without exposing your private information. I use them on almost everything I take when I travel after one of the tags was responsible for getting my lost laptop returned to me in Rome one time. You can get them at


I have found personally that it is entirely accurate to state that over 150 million accounts have potentially been compromised by the leak of account data from Adobe. Having downloaded the file myself, which contains over 150M lines of data comprised of email addresses, encrypted passwords and password hints, it is both real and particularly scary that this information is available on the internet for any reasonably tech-savvy person to download and peruse. On analysis of the file, I’ve found both my personal and company email addresses, with the password hints that were set when creating the accounts. In addition, a number of email addresses associated to my clients (I work in the IT industry) were also present; 28 from one company and 15 from another, all of which were created relatively recently (within 2-3 months) for Creative Cloud registration, and hence have billing methods associated with them (credit/debit cards). These accounts are not (yet) known to have been compromised, due to the passwords having been encrypted using triple-DES, however they have all been encrypted using the same key; this is apparent from the padding used to extend the passwords to 16 bytes being the same for all of the encrypted strings. Even with the knowledge of both the plaintext and encrypted passwords, the difficulty of breaking the encryption key is within the extent of 2^56 to 2^168 bits, which is highly improbable, but also entirely possible, given the wealth of technical knowledge and high-powered computer hardware that exists in this day and age. It will only be a matter of time before the encryption key is cracked and all passwords will be revealed, in which case we would most likely have far more to worry about than somebody accessing our Adobe accounts without permission. Until then…


Comments are closed.