14 DAY TRIAL // We’ve recently learned that the Adobe breach is much more serious than initially believed. That’s because the hackers haven’t gained access to 2.9 million accounts, but to 38 million active ones.
The file containing the information stores around 150 million records, 130 million of which include the passwords of Adobe customers.
Experts have been analyzing the file and they’ve found that the encryption mechanism used by Adobe to protect passwords is far from being efficient. That’s because the company has used Triple DES encryption.
The problem with this type of encryption is that the hash provides some clues that can be used to figure out the password.
Steve "Sc00bz" Thomas has told Ars Technica that the passcodes are encrypted using a mode called ECB. This means that based on the encrypted string, hackers could figure out the last characters and even the lengths of certain passwords.
Adobe has confirmed for Ars that they’ve been using Triple DES. However, the company argues that they utilized the encryption only up until a year ago, when they switched to salted SHA-256.
Passwords created over the last year are impossible to decrypt, especially since the hashing process is repeated more than 1,000 times. However, the ones leaked by the hackers, stored in a backup system that Adobe wanted to decommission, can be cracked.
Furthermore, the task becomes even easier if we take into consideration the fact that the file leaked by the hackers also contains password hints.
XKCD has even published a comic on the topic (see screenshot), saying that the passwords leaked from Adobe represent "the greatest crossword puzzle in the history of the world."
On the other hand, the hackers might not even have to take too much time to decrypt the passwords. Considering that they’ve gained access to a lot of sensitive information on Adobe’s servers, it’s possible that they’ve also managed to steal the encryption keys.