Adobe's breached user data found stashed on underground website by LastPass

Advertisement
By Reuters | Updated: 8 November 2013 10:53 IST
A computer security firm has uncovered data it says belongs to some 152 million Adobe Systems Inc user accounts, suggesting that a breach reported a month ago is far bigger than Adobe has so far disclosed and is one of the largest on record.

LastPass, a password security firm, said on Thursday that it has found email addresses, encrypted passwords and password hints stored in clear text from Adobe user accounts on an underground website frequented by cyber criminals.

Adobe said last week that attackers had stolen data on more than 38 million customer accounts, on top of the theft of information on nearly 3 million accounts that it disclosed nearly a month earlier.

Advertisement

(Also see: Adobe says source code, data of 2.9 million customers stolen by hackers)

The maker of Photoshop and Acrobat software confirmed that LastPass had found records stolen from its data center, but downplayed the significance of the security firm's findings.

Advertisement

While the new findings from LastPass indicate that the Adobe breach is far bigger than previously known, company spokeswoman Heather Edell said it was not accurate to say 152 million customer accounts had been compromised because the database attacked was a backup system about to be decommissioned.

She said the records include some 25 million records containing invalid email addresses, 18 million with invalid passwords. She added that "a large percentage" of the accounts were fictitious, having been set up for one-time use so that their creators could get free software or other perks.

Advertisement

She also said that the company is continuing to work with law enforcement and outside investigators to determine the cost and scope of the breach, which resulted in the theft of customer data as well as source code to several software titles.

The company has notified some 38 million active Adobe ID users and is holders of inactive accounts, she said.

Advertisement

Paul Stephens, director of policy and advocacy for the non-profit Privacy Rights Clearinghouse, said information in an inactive database is often useful to criminals.

He said they might use it to engage in "phishing" scams or attempt to figure out passwords using the hints provided for some of the accounts in the database. In some cases, people whose data was exposed might not be aware of it because they have not accessed the out-of-date accounts, he said.

"Potentially it's the website you've forgotten about that poses the greater risk," he said. "What if somebody set up an account with Adobe ten years ago and forgot about it and they use the same password there that they use on other sites?"

Forgot the salt?
LastPass Chief Executive Joe Siegrist said that Adobe failed to use best practices for securing the stolen passwords.

The ones in the database were not protected with a technique known as "salting," which means adding a secret code to every password after it is scrambled and before it is stored in the database. That way multiple encrypted versions of the same password never look the same.

Because the passwords were not salted, Siegrist said he was able to identify the most frequently used password in the group, which was used 1.9 million times. The database has 108 million email addresses with passwords shared in multiple accounts.

"I'd say 108 million people fall into the range of likely very easily guessable passwords," he said.

The number of records stolen appears to be the largest taken in any publicly disclosed cyber attack to date.

The largest cyber breach previously reported was a 2009 attack on Heartland Payment Systems in which more than 130 million credit card numbers were stolen, according to Privacy Rights Clearinghouse data. Hackers accessed more than 100 million records from the Sony PlayStation Network in 2011 in another notorious attack.

Mike Spanbauer, managing director of research at the security firm NSS Labs, noted that the impact of the Adobe breach might not be as significant as ones where large numbers of financial records were stolen.

Still, he said that the attack was a strong reminder that consumers and businesses need to be vigilant about making sure they do not reuse passwords.

© Thomson Reuters 2013

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: Adobe, Internet, LastPass
Advertisement

Related Stories

Popular Mobile Brands
  1. Oppo K15 Launch Date Confirmed; Key Specifications Revealed Ahead of Debut
  2. Tecno Camon 50 Ultra 5G With a 6,500mAh Battery Debuts in India: See Price
  3. Airtel Confirms Mobile Hotspot Restriction on the Unlimited 5G Data Offer
  4. iPhone 18 Pro Max Could Get a New Sony Sensor With Variable Aperture Tech
  5. Insomniac Games Shares New Trailer for Marvel's Wolverine
  6. OnePlus Exits US, Europe, Continues Operations in India: 5 Things to Know
  1. Airtel Unlimited 5G Data Subscribers Cannot Share 5G Data via Mobile Hotspot, Company Confirms
  2. Lenovo Legion C700 Teased as a Cloud Gaming Handheld Ahead of August Launch
  3. Marvel's Wolverine Gets New Trailer That Will Play Ahead of Christopher Nolan's The Odyssey in Select Theatres
  4. Airtel Quietly Removes Rs. 549 Individual Postpaid Plan in India; Rs. 699 Plan Becomes Next Upgrade
  5. Poco M8 Power, Poco X8 India Launch Timeline Tipped; Could Arrive as Rebranded Redmi Note 17 Series
  6. Samsung Galaxy S25 Series Could Get Galaxy S26’s Horizontal Lock Camera Feature With One UI 9 Update
  7. Asus Pad India Launch Date Announced as Company Reveals Key Specifications
  8. iPhone 18 Pro Max Diagnostics Log Reportedly Reveals Variable Aperture Camera, Sony Sensor Upgrade
  9. Vivo X500 Ultra Leak Suggests Three 200-Megapixel Telephoto Sensors Under Testing
  10. iQOO Z11 Lite Price Range in India, Key Specifications Revealed Ahead of Official Launch
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.