Skip to main content

Facebook & Others Help Users Hit by Adobe Data Breach

Are you one of the 38 million Adobe customers whose account information was stolen in a massive data breach earlier this fall?

If so, websites such as Facebook, Diapers.com and Soap.com may have sent you a message warning you that you're using the same email/password combination on their sites, and prompting you to change your password.

On Facebook, some users received the message: "Recently, there was a security incident on another website unrelated to Facebook.  Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places."

Users were then asked to change their Facebook passwords and answer a few security questions.

MORE: Adobe Data Breach: How to Protect Yourself

How do these websites know if you're using the same email/password combination with them as with Adobe? 

Adobe used a very weak form of single-key, reversible encryption to store its users' passwords. Even without the key, it's fairly easy, for technical reasons, to guess the password just by looking at the encrypted string.

A good chunk of the Adobe user data has thus effectively been decrypted, letting websites with take-charge security departments analyze it and, if need be, alert their own user bases.

"We used the plaintext passwords that had already been worked out by researchers," Facebook security engineer Chris Long confirmed on security expert Brian Krebs' blog.

Long also confirmed Krebs' speculation that Facebook checked whether the passwords were the same by "hashing [the known passwords] using whatever internal hashing mechanisms that Facebook users, and then comparing those against any overlap in email addresses."

If Long is being honest, then Facebook's user-data security is already far stronger than Adobe's.

Facebook doesn’t actually store users' plaintext passwords. Rather, it stores a "hash," a random-looking string of data generated by a mathematical algorithm that both masks the length of passwords and is nearly impossible to reverse.

That means Facebook didn't look at your Facebook password to see if it matched the one used at Adobe. Facebook probably doesn't even know your Facebook password.

Rather, Facebook did what Adobe should have done in the first place — hashed the Adobe passwords. Then it compared the resulting encrypted strings.

Facebook's findings weren't based on the entirety of the Adobe data breach, just the parts of it that researchers have been able to decrypt. So if you were using the same username/password combination on Adobe and Facebook, but you haven't received a notification, your password has thus far not been cracked.

If you're still wondering whether the Adobe data breach affected you, you can search for your email address among the leaked data set using a tool created by Belgium-based Web designer Ilas Ismanalijev.

Ismanalijev's tool quickly sifts through the massive data set to see if your email address is among more than 150 million listings. (Adobe has said that only 38 million accounts were actually compromised.)

To check the data yourself would require you to download the 3.4-gigabyte dataset (it's available in several places online) and perform a potentially time-consuming search that would temporarily eat up your machine's processing power.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.