After Adobe Hack, Other Sites Re-Set Passwords

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://blogs.wsj.com/digits/2013/11/11/after-adobe-hack-other-sites-re-set-passwords/

Last month, Adobe announced hackers stole login information for some 38
million of its customers. Now Facebook and other Internet companies are
worried their users might also be affected.

The link: Internet users, despite repeated warnings, often use the same
password across many different websites. So even if Facebook wasn’t hit by
this round of cyberattacks, the Adobe hackers still might be able to break
into Facebook member accounts with recycled passwords.

The social media giant recently began requiring some members who it
believes used the same passwords for their Adobe accounts to create new
ones. And Amazon.com unit Diapers.com, which sells diapers and other baby
products, also recently reset the passwords of some customers who it
believed were affected by the Adobe attack, according to a customer email
posted online. Microsoft said it is aware of the potential problem for some
of its users and is “taking appropriate action,” a spokeswoman said, who
didn’t elaborate.

The efforts underscore the ways that online companies share risk in hacking
attacks, and also together have to clean up from the fallout.

“The attack against Adobe’s customer database illustrates the extreme risk
and vulnerability we accept as we continue to depend on passwords to secure
our personal information and keep us safe online,” said Michael Barrett,
president of the FIDO alliance, a group of technology companies, including
PayPal, Google and Lenovo.

Adobe disclosed the hack last month and the massive trove of emails and
encrypted passwords was available online. Security researchers have said
they were able to decrypt some of those passwords.

Some Internet companies are now scanning that list of Adobe email addresses
and passwords on their own to see if their own customers used the same
combination.

“We know that there are going to be plenty of cases where those passwords
were reused just based on knowledge of user habits across the Web,”
Facebook spokesman Jay Nancarrow said.

Affected Facebook users recently received a message that read, “Recently,
there was a security incident on another website unrelated to Facebook.
Facebook was not directly affected by the incident, but your Facebook
account is at risk because you were using the same password in both places.”

Amazon didn’t respond to requests for comment.

Internet security experts long have warned consumers against employing the
same password all over the Internet, a common practice according to studies.

Companies generally store user passwords in encrypted form. The goal is
that if their servers are breached, hackers will not have recovered users’
actual passwords, but instead a bunch of garbled text.

Part of the problem is that the information stolen from Adobe was on a
backup system that used a relatively weak form of encryption. This would
make it easier for hackers to figure out users passwords.

Adobe has used a harder-to-crack form of encryption for more than a year
and the breached system was set to be decommissioned, a company spokesman
said.

The company has reset passwords for all of its users whose current login
information was stolen in the hack, the spokesman said.

Cybersecurity journalist Brian Krebs reported earlier on the Facebook user
messages.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.