I received yesterday (22.11.13 an email from Evernote. It begins:
There were published reports recently of a security breach at Adobe that may have exposed private information, including Adobe passwords, email addresses and passwords hints of millions of users. The list of compromised Adobe accounts has been uploaded to the web. We compared this list to our user email addresses and found that the email address you used to register for an Evernote account is on the list of exposed Adobe accounts.
I was previously aware of the security breach. Adobe had previously sent me an email on 9 October 2013 to the following effect
Important Password Reset Information
We recently discovered that an attacker illegally entered our network and may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorized activity on your account.
Adobe did not however reveal the full extent of the security breach. Recent reports suggest 150 million logons were compromised. See
Adobe’s file is over 10GB. It is freely available to download on the internet. Evernote (quite correctly) have analysed the file to improve its security. Adobe in its email to me, assured me that my password was encrypted. It neglected to tell me:
- My password hint was not encrypted; and
- All similar passwords were encrypted with the same hash code.
The following record is an extract from the database of one of my logons.
All similar password have the same hash code, it is easy to filter the 150 million records to see all the hints for that password. Some of the hints do not need much guessing. For example, my (old) password is easily guessed from these entries
It is not hard to work out that I have a son named “Denham”.
My logon was fully compromised.
Yes I admit my password was a dumb password, it was a clayton’s password. The logging on to Adobe was not important to me.
I have not used that logon or that password for a long time.
That logon was not the logon that Evernote was emailing me about. The other logon name is important to me. Unfortunately the password was just as transparent and dumb.
As previously reported in Practice Guidelines for the use of Cloud Computing by Lawyers many similar security breaches have occurred in the past. Those breaches fortunately did not impact me personally. I definitely do not want experience what occurred to poor Mat Honan How Apple and Amazon Security Flaws Led to My Epic Hacking.
As a result of the breach I have now changed all my passwords on all my accounts. I do not use the same password on any site. My passwords are much more secure.
The seriousness in the breach, is not that that someone with nefarious intentions could logon to Adobe by using my credentials. It is serious because it exposed my logon and my password to people who may wish logon onto another website that is important to me.
JDC 23 November 2013