Adobe's massive data breach, first revealed a month ago, just keeps getting worse. It now appears that the passwords in 150 million stolen account credentials — affecting at least 38 million individual accounts — were protected using an embarrassingly weak type of encryption.
The 150 million entries include email addresses, encrypted passwords, password hints and some usernames.
That's in addition to 2.9 million separate Adobe account records that included individuals' full names, addresses and credit card information. This theft, which is part of the same overall data breach, was first reported on Oct. 3.
At that time, Adobe had said the first batch of account data was encrypted and therefore inaccessible to thieves.
Since then, much more stolen Adobe data has appeared online in the form of a 3.8-gigabyte file that can easily be found online.
After analyzing part of the giant file, researchers at British security firm Sophos concluded that the included passwords were encrypted with a single key using a symmetric, or reversible, algorithm.
That means whoever figures out the key will be able to decrypt the password for every affected Adobe account, no matter how strong the password might be.
"Anyone who computes, guesses or acquires the decryption key immediately gets access to all the passwords in the database," explained Sophos security writer Paul Ducklin explains on the company's NakedSecurity blog.
Although the data dump contains credentials for around 150 million accounts, Adobe says many of those accounts are duplicates, tests or are inactive, and that only about 38 million Adobe clients have been affected.
It may be possible to reverse-engineer the Adobe encryption key by matching just a few encrypted/plaintext password pairs. The puzzle is made easier by the fact that the password hints were apparently stored in plaintext and hence perfectly visible.
For example, one of the most frequently occurring encrypted passwords is "L8qbAD3jl3jioxG6CatHBw==," which repeatedly appears alongside hints such as "password" and "the password is password." Because of this, one can assume that "L8qbAD3jl3jioxG6CatHBw==" corresponds to the password "password."
Similar patterns arise for other common passwords, such as "123456," "letmein" and "qwerty."
As of this posting, no one has come forward claiming to have reverse-engineered the Adobe decryption key. But it's probably just a matter of time.
This security nightmare could have been easily avoided if Adobe had used a cryptographic hash function.
Using this method, users don't store the passwords themselves. Rather, users store a one-way hash, a string of seemingly random data that both masks the length of the password to which it corresponds, and, more importantly, cannot be reversed (hence the "one-way" name).
The poor encryption that Adobe used to store customer data is even worse than the fact that the breach happened in the first place. It's a lesson in the everyday importance of strong encryption. Unfortunately, that lesson comes at the expense of more than 38 million Adobe users.
How to protect yourself
So what if you think you're among the 38 million affected Adobe customers?
First, change your Adobe password immediately. If you used your Adobe password for any other online accounts, you should change those passwords too.
You should also change the passwords — even if they're different — for any other Adobe services you may use, such as EchoSign, Behance, TypeKit, Marketing Cloud and Connect Pro.
While you're creating those new passwords, make sure they're long and strong. Passwords should be 10 or more characters in length and contain numbers and punctuation marks as well as upper- and lowercase letters.
The more random the assortment of characters, the better; if you base the password on a word or name, cybercriminals can use what's called a "dictionary attack" by systematically guessing all words and combinations of words found in a dictionary.
You also should use different passwords for every single one of your online accounts. That way, should a data breach compromise one of your accounts, the criminals won't be able to compromise other accounts as well.
Adobe has posted a statement that it has reset the passwords of affected users and is notifying users via email to change the passwords once again, though that page seems to have last been updated Oct. 3.
It doesn't appear that any credit card data was compromised beyond those on the initial 2.9 million records, but to be sure, you'll want to detect any unauthorized credit card use. Register for credit alerts with your credit card companies, and also with the three major credit-reporting agencies, Equifax, Experian and TransUnion.