I get a daily Rabbitgram email from The Rabbit Agency, a UK social media agency that sends me a pick of the day’s social media and tech news links.
This morning one of the items in the Rabbitgram was this:
#7 – Over 150m breached records from Adobe hack have surfaced online (The Verge)
Surfaced? Surfaced where?
I knew Adobe had been hacked. Not only had I read about it on several websites, I had received a ‘precautionary’ reset password email from Adobe.
Adobe had said that around 3 million login credentials had been stolen. Other sources said the number was around 38 million. Now the Verge was saying it was 150 million and that:
according to Paul Ducklin at Naked Security, a database of Adobe user data has turned up online at a website frequented by cyber criminals.
Oh I see, the hackers published the hacked information on a site frequented by cyber criminals. Great, just what I and 150 million other users need.
The Verge article mentioned that:
LastPass has set up an online tool to quickly find out if your email address is listed in the massive database.
I changed my password as soon as I got the prompt from Adobe after the hack, so there was nothing new I would be revealing.
And I know LasPass is an upright outfit, so I didn’t worry too much about putting a valid email address into their search tool to see whether the address and password had been compromised in the Adobe hack.
I tried the tool with the email address that I signed into Adobe with. And I tried it with a fake address that I doubted anyone had, to see what that would bring up.
So the funny (not amusing) thing is that Adobe goes through all these encryption somersaults to make sure no one steals their products. They move to a subscription-based model to prevent people circulating ripped copies of their software – and then according to Paul Ducklin of NakedSecurity they use weak encryption methods to protect customer data.
The article by Paul Ducklin is well worth reading and I recommend you do so because it is probably the nearest that most of us will get to a clear exposition of how to and how not to encrypt passwords.