Hackers took more from Adobe than claimed

In a move which will be a blow for Adobe’s subscription software system, a computer security firm has uncovered data it says belongs to some 152 million Adobe Systems user accounts.

According to the Verge this means that a breach reported a month ago is far bigger than Adobe has so far revealed and is one of the largest on record.  All this is happening while Adobe is hoping to make a killing selling its software on the cloud, something which depends on a reputation for some brilliant security.

LastPass, a password security firm, said that it has found email addresses, encrypted passwords and password hints stored in clear text from Adobe user accounts on a dodgy hacker site.

Adobe last week admitted attackers had stolen data on more than 38 million customer accounts, on top of the theft of information on nearly three million accounts that it disclosed nearly a month earlier.

All this is well short of the 152 million figure, which would seem to indicate the bad guys have most of Adobe’s client list and passwords.

Now Adobe has confirmed that LastPass had found records stolen from its datacentre but downplayed the significance of the security firm’s findings.

Adobe said that it was inaccurate to say 152 million customer accounts had been compromised because the database attacked was a backup system about to be decommissioned.

Records include some 25 million records containing invalid email addresses, 18 million with invalid passwords.   The spokesman said that a huge percentage of the accounts were fictitious, having been set up for one-time use so that their creators could get free software.

Adobe said that it had told some 38 million active Adobe ID users and is now contacting holders of inactive accounts.

However LastPass Chief Executive Joe Siegrist was more scathing.  He said that Adobe failed to use best practices for securing the stolen passwords.

The passwords in the database were not protected with a technique known as “salting,” which means adding a secret code to every password after it is scrambled and before it is stored. This stops encrypted versions of the same password looking identical.

Siegrist could spot the most frequently used password in the group, which was used 1.9 million times. The database has 108 million email addresses with passwords shared in multiple accounts.

If the 152 million figure is correct, then it breaks all records.  The The largest cyber breach previously reported was a 2009 attack on Heartland Payment Systems in which more than 130 million credit card numbers were stolen.