Wednesday, 30 October 2013

What is known about the Adobe breach now and what is in store

If you have ever used Adobe.com in your lifetime, reset your password if you know or cannot remember if you ever signed up for an account there. It doesn't matter if Adobe themselves have reached out to you or not, reports of there being 38 million accounts at risk were incorrect: it's really 153 million. This was mentioned in Kreb's article, but news reports outside of him are throwing erroneous figures.

The source of the aptly named "users.tar.gz" came from a Russian website that I had been monitoring for a few days. A user eventually shared it when the link went dead and a kind fellow determined a safe way to download it in a reasonable period of time as the person who reposted used an ad-supported file sharing website. In the end, it cost 2 EUR to download the file.

It's now in the hands of many researchers including myself.

Here are some facts that a number of us taking a look at the leaked user data have in store:

  • The exact count of the leaked credentials is at most 153,004,874. This has yet to be confirmed but in conversations with a friend who is also looking at the data, it worked out to about 50 duplicate accounts for every 10,000.

  • Passwords are stored in DES format. There is a global key as opposed to a unique one for each user.

  • It should also be kept in mind that not every user account has a password listed in this file. It is not to say that there is no password leaked any of these types, but don't take this as assurance to say the least.

  • Users range from businesses, to governments, to NGOs, and to people like you and I.

  • The most commonly used passwords were "123456", "password", "123456789", "12345678", and "qwerty". This was determined not via password breaking but due to the fact that users have stored some hints in the password recovery details.



The leaked data is also stored in this format (with user details removed):
103251449-|--|-[...]@yahoo.co.jp-|-hbpRGiyyvW0Ix+w38j30rA==-|-password|--
103251644-|--|-[...]@yahoo.com-|-7ZANzFDeVNU=-|-only password|--
103251834-|--|-[...]@seznam.cz-|-L8qbAD3jl3jioxG6CatHBw==-|-? password|--
103252332-|--|-[...]@yahoo.com-|-N/Bo4qtibWs=-|-where is my password?|--
103252463-|--|-[...]@aol.com-|-//mMaopP+fE=-|-habbo password|--
103252538-|--|-[...]@yahoo.com-|-8rGaJa+8UUSY41q03G/5+A==-|-real password|--
103252720-|--|-[...]@gmail.com-|-YQR6szpR2NTioxG6CatHBw==-|-gmail password|--
103253089-|--|-[...]@yahoo.co.uk-|-rFB6XOjEj1S/hiuNpU1UXA==-|-password|--
103253394-|--|-[...]@gmail.com-|-aK1lx9gGXIyTrmSEaSpL2A==-|-password|--


One excerpt from an e-mail I had received earlier should be taken into account as well:

Actually, I think its double DES for the longer ones. Just two des
concatenated, one for first 8 char and one for second. You can see
that a lot of the longer passwords have the same ending. This happens
because many second halves of passwords longer than 8 char will be the
same. For instance, a 9 char password will only have 1 char and 7
blank spaces in its hash. Also, this is terrible. You should be able
to easily figure out the salt as well.


If you think that Rock You was bad, Adobe will make it look like it was just a passing fart.

Again, I do suggest that if you think you might have given your details to Adobe that you just reset your passwords if you have not already.

Edit: Adobe clarified that the passwords are all DES as I suspected (or 3DES to be exact). I did make an erroneous assumption about it being another hashing function but that has been proven to be otherwise.

1 comment:

  1. Hey Colin,

    Something is a miss here. All the hashes that have 123456 as comment are different. This means that they're either uniquely salted (highly unlikely since there a a ton of hashes that repeat over and over) or... something else.

    ReplyDelete