Adobe confirms customer data breach - Update
A hacker says that he managed to break into an Adobe server and copy the private credentials of approximately 150,000 users – including their names, email addresses and password hashes. To prove the attack, the intruder, who goes by the name of "ViruS_HimA" and claims to be from Egypt, has released extracts from his haul on the anonymous Pastebin text hosting service. The data includes details of users who the attacker has associated with Adobe, the US military and US government circles based on their email addresses.
Talking to security magazine Dark Reading, the hacker said that he managed to exploit an SQL injection hole for his attack. Apparently, he didn't encounter any obstacles such as a Web Application Firewall (WAF) that would filter out potentially dangerous HTTP requests. The attacker explained that he publicised the intrusion to highlight the vulnerabilities and motivate companies such as Adobe to enhance their security.
On its blog, Adobe has confirmed that an unauthorised third party successfully launched an attack on one of the company's customer databases. According to Adobe, the data originates from the Connectusers.com web site, which is a forum for customers of the Adobe Connect web conferencing service. The forum has since been temporarily suspended. Adobe says that the attacker didn't compromise the Adobe Connect service itself or any other areas of the company's web presence.
Adobe hasn't confirmed the attacker's claim that 150,000 user records were affected; neither has it provided any information on its password storage mechanisms. According to the hacker, Adobe's database contained MD5 hashes that can easily be cracked.
Update 15-11-12 14:55: According to security firm Sophos, the passwords were stored as unsalted MD5 hashes, which can easily be cracked quickly using modern CPU and GPU hardware. If the database extract turns out to be genuine, Adobe should have invested a little more effort in protecting the passwords of its users. The article "Storing passwords in uncrackable form" at The H Security explains how administrators can prevent passwords from being cracked this easily.
(Uli Ries / crve)