A security firm has claimed that it has uncovered data belonging to 152 million Adobe user accounts indicating that the numbers provided by the Photoshop maker may not be reflective of the actual size of the breach.
LastPass, a password security firm, has claimed that it came across a dump of Adobe user data containing usernames, encrypted passwords and password hints – all stored in clear text – at an underground site regularly visited by cyber criminals. The password security company claims that the data dump contains over 152 million records.
Adobe had confirmed to us last week that hackers managed to steal data on more than 38 million user accounts on top of 3 million which was disclosed just days after the hack. Adobe has confirmed that the data in LastPass’ possession is indeed from its servers, but has claimed that the hacked database was from a server scheduled for decommissioning.
Adobe spokesperson Heather Edell said that it won’t be accurate to peg the data theft at 152 million users accounts as over 25 million records contained invalid email accounts. Further 18 million records had invalid passwords and a large percentage of the accounts were fake or created for just one-time login to avail benefits such as free software and other perks.
Last week we reported how a security company had managed to analyze the 152 million records and list top 100 commonly used passwords by Adobe users with the most common being ‘123456’. This particular analysis was possible because Adobe failed to store the password by adding a salt to the encrypted string. Further the use of such passwords indicates that Adobe failed to enforce minimum password strength parameters used across the industry. This also highlights the lack of user awareness when it comes to online security and password selection.
