Jon Callas

Secure User Data with Hashed Passwords, Salts and Iterations

Lessons from Adobe's breach and heartbreak for Cupid Media's users

Recently, I commented on the Adobe breach in a post titled “How Secure is Your Old and Inactive User Data?”  The next week I followed up with, “Adobe’s Breach Widens.” It was then that Heather Edell, Adobe’s Senior Manager of Corporate Communications contacted me directly with a few details about how Adobe is responding to some of the 38 million customers whose data was made vulnerable by the breach:

Customers whose credit or debit card information was involved are receiving a notification letter from us with additional information on steps they can take to help protect themselves against potential misuse of personal information about them.

I appreciated the email from Heather. The Adobe web page is very good with a lot of details, and jives with what Brian Krebs and others outlined.

I’ll also take this as a polite way to say that no, the email-address-only losses aren’t going to be notified. We’ll agree to disagree on that.

Read more…

Adobe’s Breach Widens

When will Adobe disclose the full extent of its breach to users?

Over the last week, the analysis of the Adobe breach has gotten more interesting.

The actual file itself has been available via BitTorrent. I found a torrent file and looked through it myself. If you’re interested, note that the torrent gets you a 4+GB zip of the actual 10GB of text.

Paul Ducklin at Sophos has published a very good analysis of the contents of that file. The summary is that each record has an account number, an account name, an email address, the encrypted password, and the person’s password hint.

Read more…

How Secure Is Your Old and Inactive User Data?

The need to root out old data goes well beyond creating disk space

A couple weeks ago Brian Krebs announced that Adobe had a serious breach, of customer data as well as source code for a number of its software products. Nicole Perlroth of The New York Times updated that to say that the breach appears to be much bigger than thought and, indeed, Krebs agrees. Adobe themselves announced it first, earlier than Krebs’s first report in CSO Brad Arkin’s terse blog post, Illegal Access to Adobe Source Code.

By now, breaches are hardly news at all. All of us pros flat out say that it isn’t a matter of *if* you get hacked, but *when*. Adobe’s is of note solely because of the way that the news has dribbled out. First, the “illegal access” to source code, then the news of lost customer data to the tune of 2.9 million, then upping that to 38 million, but really actually (maybe?) 150 million. The larger number is expired accounts—or something.

Read more…