In October Adobe reported that it’s systems had been compromised by attackers that stole between 38 million and 150 million usernames, credit card numbers, passwords, and password hints. Adobe originally reported that it was a much smaller number of 2.9 million accounts that were compromised, but it has since grown exponentially, while it seems they are struggling to get a handle on the scope of the problem. To make matters worse, Adobe used questionable encryption practices; they used reversible encryption and stored the key with the data.
This is bad news for everyone on that list but just about every company on the planet as well, since their employees likely have set up Adobe.com accounts to access Creative Cloud or even simply download free or trial software from the company. To make matters event worse some of your employees likely have used their personal email accounts to create accounts with Adobe. You may be asking yourself, “Why does this make matters worse?”. It does because humans stink at picking passwords.
As we all know most people pick simple, easy to remember passwords which are also easy to hack, if you are an attacker. While weak passwords are an issue by themselves, those same users likely use the same password for accessing everything in their digital lives, including your network and company resources. Now you are probably thinking, “Yeah, but they do not have their usernames for my network”. True, but it is fairly trivial to figure out where someone works these days thanks to social media, and from there an attacker can likely figure out what the username format is for your company if they do not already know it. I am willing to be it will be only a matter of time before some takes this data and automates the process of matching it to social media profiles, companies, and generates usernames based on industry norms.
In fact, Facebook is already automating the comparison, but for good. They have started comparing their user’s passwords with those that were part of the Adobe hack, and have begun notifying their users that their password is at risk.
What you should do to protect your company from the Adobe hack
The first thing you should do is take an inventory of your IT department’s Adobe accounts, as well as any Adobe accounts you have set up for your users, such as Creative Cloud or event for software updates. Once you have identified the known accounts at risk, compare them against the leaked file of compromised accounts. While I will not link to the file containing all of the Adobe user data, the file can easily be found on the Internet via a quick Google search. If you have a lot of accounts that are at risk, I would suggest automating the process via Excel or another means. If you only have a handful of accounts that may be at risk, use the free website that LastPass has published for checking if an email address was included in the compromise.
What is neat about the LastPass Adobe site is that not only will it tell you if an email address was part of the compromise, it will also email you a link to reset your Adobe password, as well as tell you how many other people that were compromised had the same password, which could signal the use of a weak password.
With one company I was working with, we checked all of the known Adobe accounts against the DB and found that over 70% of them were included in the compromise. We then took a sample of the company’s employee’s known personal email addresses and plugged them into the LastPass website, and found that nearly 90% of them were included in the compromise, and that a large number of them had other users with the same password. This is bad.
This leads me to the second thing you should do, depending on the size and logistical capabilities of your company and IT team, force all of your users to reset their passwords for your network resources. Right now you are probably thinking, “WTF, are you kidding? We have 200+ users, this will kill our helpdesk”. To which I have one answer, “Yep”. Can you say with certain that your users do not have Adobe accounts? Or that they use a unique strong password for each and every account that they have?
Obviously every company is different and in both size and complexity, and a full password reset may not be feasible, even for the smallest startups. So, you should confer with your InfoSec team (if you have one) and your CIO to see if the risk that even one of your accounts could be compromised, thanks to Adobe, is worth accepting. Depending on what your business does, the risk may be acceptable, and a company-wide password reset may be too much burden, but for many companies the risk to your data and your customer’s data, along with the potential public reputation damage is too great, and the company-wide password reset is an acceptable burden to take on.
Finally, regardless of what course of action you decide to take, you should educate your company’s employees about what happened. You can use this opportunity to reenforce the need for good unique passwords, and advise them to check the passwords on their other personal accounts as well.