For one, all the passwords were encrypted with the same encryption algorithm (likely DES or Triple DES), which means that anyone who gets his or her hands on or figures out the decryption key can easily decrypt all the passwords.
Then, they used the Electronic Code Book (ECB) method of encryption that makes all identical passwords look the same when encrypted - and we all know that many users to use the same simple and predictable passwords.
Thirdly, the database included the (unencrypted) hints for the passwords, which made it trivial to guess the passwords that were used over and over again (xkcd has explained it all wonderfully).
The worst part of it is that many users chose the same password as the one they use for their internet banking or their Facebook account, and often said so explicitly in the “hint” that went along with it.
Facebook has already moved to protect its users who have done this by blocking their accounts and presenting them with the following notice:
They are then forced to answer a few security questions to prove their identity as the rightful owner of the account and to change their password to a more complex and unique one.
Time will tell if Facebook is the only company that considered the repercussions of the Adobe breach and move to minimize them - let’s hope they are not.
In the meantime, at least one Adobe customer has filed what could turn out to become a class action lawsuit against the company, claiming that despite promising they use “reasonable administrative, technical and physical security controls” to protect their PII and “industry-leading security practices”, their actual security practices are “substandard” and “continued to result in breaches.”
While thinking about whether to join the suit or not, Adobe users can check if their login credentials were compromised in the hack by entering their email address in this site / checking tool.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.