When "Encrypted" Doesn't Mean "Secure"
In October 2013, Adobe announced that attackers had stolen data on approximately 38 million users. Within weeks, that number ballooned to 153 million accounts as the full scope of the breach became clear.
But the breach itself wasn't the most embarrassing part. It was how Adobe had stored the passwords.
The Encryption Mistake
Adobe used 3DES (Triple Data Encryption Standard) in ECB (Electronic Codebook) mode to encrypt passwords. This approach had two fatal flaws:
Encryption instead of hashing — passwords should be hashed with a one-way function like bcrypt, not encrypted with a reversible cipher. Encryption implies there's a key that can decrypt everything. With hashing, there is no key.
ECB mode — in ECB mode, identical plaintext blocks always produce identical ciphertext blocks. This means that every user with the same password produced the same encrypted output. If you could figure out one common password (like "123456"), you could identify every account that used it.
The Crossword Puzzle
Security researchers quickly realized that the password hints — which Adobe stored in plaintext alongside the encrypted passwords — could be used to decode the passwords. Users had typed hints like "the word for a small house" (cottage), "what my dog's name is" (fido), or even just the password itself.
By cross-referencing identical ciphertext values with their plaintext hints, researchers could decode millions of passwords. An XKCD comic even turned the top encrypted passwords into a crossword puzzle.
What Was Stolen
- 153 million user records with email addresses, encrypted passwords, and password hints
- Source code for Adobe products including ColdFusion, Acrobat, and Reader
- Internal credentials that could provide access to other systems
The Wider Impact
Because so many people reuse passwords, the Adobe breach became a skeleton key for other services. Attackers used the decoded passwords to compromise accounts on Facebook, banks, and other platforms. Facebook proactively identified users whose Facebook passwords matched their Adobe passwords and forced password resets.
What We Learned
- Always hash passwords, never encrypt them. Hashing is a one-way operation — even if the database is stolen, the original passwords can't be recovered without brute-force effort.
- Use a unique salt per user. Salting ensures that identical passwords produce different hash values, preventing the pattern analysis that made Adobe's data so vulnerable.
- Never store password hints in plaintext. Better yet, don't use password hints at all. They're a relic of a less security-conscious era.
- ECB mode is always wrong for variable data. Any modern cryptography course teaches this, yet companies continue to make this mistake.
Check Your Exposure
The Adobe breach is over a decade old, but its effects linger. Passwords reused from Adobe accounts may still be in use on other services. Check LeakedSource to see if your email address appeared in the Adobe breach or any others, and make sure you've changed any passwords that might have been compromised.