The scale of the breach is not the only issue. Adobe announced that the user details had been encrypted – which immediately caused concerns. Best practice, if not essential practice – would be to hash and salt passwords using a slow algorithm; but Adobe's CSO said 'encrypted.'
"I really hope they don't mean encrypted passwords," an unnamed source told Infosecurity at the time. But he added, "Brad Arkin [the CSO] isn’t new to the security world, and I couldn't see him mixing up encrypted and hashed…" It now appears that he didn't.
Security researchers have located a 4GB compressed file of the stolen data dumped on the internet, and "listing," said Naked Security, "not just 38,000,000 breached records, but 150,000,000 of them." Sophos took every tenth record from this dump until it had retrieved a representative sample of 1,000,000 records – and analyzed them. What it found in the data stolen from Adobe is that the passwords are encrypted rather than hashed, users' emails are included in plaintext, and – just as worrying – the user's password hint is also stored in plaintext.
This is potentially a colossal blunder. First, since encryption rather than hashing has been used, every single password is retrievable in its jumbled text. And if that encryption is a weak one (Sophos suspects that it is either DES, which is weak, or 3DES, which is somewhat less so), then every single password is vulnerable. In some cases the addition of the hint even makes it directly guessable.
From a quick analysis, Sophos concluded, "we have already recovered an awful lot of information about the breached passwords, including: identifying the top five passwords precisely, plus the 2.75% of users who chose them; and determining the exact password length of nearly one third of the database.
"Bear in mind that salted hashes – the recommended programmatic approach here – wouldn't have yielded up any such information – and you appreciate the magnitude of Adobe's blunder."
For its part, Adobe is still playing down the incident. According to Reuters, Adobe spokeswoman Heather Edell said that it is not accurate to say that 150 million customer accounts had been compromised because, among other reasons, "'a large percentage' of the accounts were fictitious, having been set up for one-time use so that their creators could get free software or other perks."
But that large percentage is still vulnerable if people used the same password for this fictitious account as they have used elsewhere on the internet. An additional problem here is that such users may have completely forgotten they ever had an Adobe account, and now be oblivious to the possibility that they have other accounts vulnerable because of the Adobe hack.
LastPass, who also has access to the stolen data, has developed a test page for users to check whether their own email is one of the 150,000,000 stolen from Adobe. If it is – and especially if the user cannot remember what password was used – he or she should change this, potentially change all other passwords, and make sure that the same password is never again re-used across multiple accounts.