Over the last week, the analysis of the Adobe breach has gotten more interesting.
The actual file itself has been available via BitTorrent. I found a torrent file and looked through it myself. If you’re interested, note that the torrent gets you a 4+GB zip of the actual 10GB of text.
Paul Ducklin at Sophos has published a very good analysis of the contents of that file. The summary is that each record has an account number, an account name, an email address, the encrypted password, and the person’s password hint.
It is quite likely that you said, “password hint?” to yourself. Yeah, the password *hint*. In plaintext. The problem is that it’s a clue to what the password is, and is consequently even more dangerous than the password itself. As you look through those records, there are hints like “daughter’s name” or “same as other service” or “birthday and anniversary” and so on.
On top of that, the people who stored the encrypted passwords made two mistakes. The first is that they encrypted the password as opposed to a hash of the password. The Sophos article has a great discussion of why this is suboptimal, so I won’t bore you with it. The second mistake was that every chunk of eight characters was encrypted separately. Thus, not only can you *reverse* the encrypted password back to the plaintext one, but that chunking makes long passwords less effective.
The result of all of this has led to some hilarious ridicule. Randall Munroe of the XKCD cartoon described it as “the greatest crossword puzzle in the history of the world.” He’s so right that it’s hilarious. This breach is so bad that rather than mad computer skills, crossword puzzle skills are useful to hackers.
On the plus side, we now know why there were so many inconsistent numbers about the breach. There are 150 million records. Only 38 million of those have a password associated with them. The smallest large number, around 3 million, is the number of actual Adobe accounts. These numbers explain the extended reveal on the details of the breach.
Nonetheless, Adobe needs to disclose to all these people. It’s the law of the state that they reside in. It doesn’t have to be much; an email would suffice in many cases. But it still needs to be done.