Adobe Hacked – LastPass Reveals

I get a daily Rabbitgram email from The Rabbit Agency, a UK social media agency that sends me a pick of the day’s social media and tech news links.

This morning one of the items in the Rabbitgram was this:

#7 – Over 150m breached records from Adobe hack have surfaced online (The Verge)

Surfaced? Surfaced where?

I knew Adobe had been hacked. Not only had I read about it on several websites, I had received a ‘precautionary’ reset password email from Adobe.

Adobe had said that around 3 million login credentials had been stolen. Other sources said the number was around 38 million. Now the Verge was saying it was 150 million and that:

according to Paul Ducklin at Naked Security, a database of Adobe user data has turned up online at a website frequented by cyber criminals.

Oh I see, the hackers published the hacked information on a site frequented by cyber criminals. Great, just what I and 150 million other users need.

The Verge article mentioned that:

LastPass has set up an online tool to quickly find out if your email address is listed in the massive database.

I changed my password as soon as I got the prompt from Adobe after the hack, so there was nothing new I would be revealing.

And I know LasPass is an upright outfit, so I didn’t worry too much about putting a valid email address into their search tool to see whether the address and password had been compromised in the Adobe hack.

I tried the tool with the email address that I signed into Adobe with. And I tried it with a fake address that I doubted anyone had, to see what that would bring up.

An email I actually use:

A fake email that I doubt anyone has:

So the funny (not amusing) thing is that Adobe goes through all these encryption somersaults to make sure no one steals their products. They move to a subscription-based model to prevent people circulating ripped copies of their software – and then according to Paul Ducklin of NakedSecurity they use weak encryption methods to protect customer data.

The article by Paul Ducklin is well worth reading and I recommend you do so because it is probably the nearest that most of us will get to a clear exposition of how to and how not to encrypt passwords.