BACKGROUND: In October 2013, Adobe suffered a data breach. Their database of 38 million usernames and passwords was stolen and subsequently posted online [1][2]. Adobe did not protect user passwords to industry standards, and attackers were able to exploit that. Also stored with the passwords were the users' password hints in clear text. Many of the hints are weakand easily exploited by third parties. Security experts agree that it will be trivial for miscreants to discover the passwords.Of the estimated 38 million Adobe customers affected, analysis indicates that there were over 2 million education-related accounts. We don't know how many of the email addresses are attached to active institutional accounts.Adobe reached out to individual affected users via email. The notification thoughtfully included "[we] recommend that you also change your password
on any website where you use the same user ID or password". However, there are reports of non-delivery (it might have been filtered as spam) and users disregarding the e-mail (it might have been thought to be a phishing message).
on any website where you use the same user ID or password". However, there are reports of non-delivery (it might have been filtered as spam) and users disregarding the e-mail (it might have been thought to be a phishing message).
IMPACT:
If the same password used for Adobe System accounts was used for
work, school, banking, or other accounts, those accounts may be at risk.
Repercussions could range from simple to severe, such as account hijacks
to send spam, theft of bank deposits, or hackers gaining a foothold in a
place of employment to conduct widespread damaging attacks.
work, school, banking, or other accounts, those accounts may be at risk.
Repercussions could range from simple to severe, such as account hijacks
to send spam, theft of bank deposits, or hackers gaining a foothold in a
place of employment to conduct widespread damaging attacks.
RECOMMENDATIONS: We recommend that you take the following actions:
1. CHANGE PASSWORDS IMMEDIATELY. Persons who used the same password
for Adobe and other accounts should immediately change their passwords
at the other locations, if you have not done so already, and monitor
for unusual activity.
for Adobe and other accounts should immediately change their passwords
at the other locations, if you have not done so already, and monitor
for unusual activity.
2. ADOBE PASSWORDS SHOULD BE RESET only by manually visiting the Adobe
website, and not by clicking on links arriving via email, as there is now
a concern that there will be a rise in phishing related to this event.
website, and not by clicking on links arriving via email, as there is now
a concern that there will be a rise in phishing related to this event.
3. NEVER REUSE YOUR INSTITUTIONAL PASSWORD for external web sites or
Internet services. If you reuse a password at multiple locations when
the password is compromised at one site the miscreants then can gain
access to all sites where you've used that password. The best policy
is to always use different passwords for different accounts.
Internet services. If you reuse a password at multiple locations when
the password is compromised at one site the miscreants then can gain
access to all sites where you've used that password. The best policy
is to always use different passwords for different accounts.
4. CREATE STRONG PASSWORDS. The University's Guidelines and Procedures
for Account Management contains instructions for Password Standards. The
document is available here: http://www.yorku.ca/secretariat/policies/document.php?document=126
5. BE ON THE LOOKOUT FOR PHISHING. Miscreants will be using the Adobe
breach as a pretext for phishing. Check infosec.yorku.ca regularly
for phishing information6. USE INFORMATION THAT IS NOT EASILY GUESSED. When providing password
hints use information that is not easily guessed or discovered. For
example, if your hint is "dog's name" and you mention your dog on social
networking sites miscreants can discover that information.REFERENCES:
[1] http://helpx.adobe.com/x-productkb/policy-pricing/ecc.html
[2] http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/
[3] http://www.yorku.ca/secretariat/policies/document.php?document=126
[4] http://infosec.yorku.ca/
for Account Management contains instructions for Password Standards. The
document is available here: http://www.yorku.ca/secretariat/policies/document.php?document=126
5. BE ON THE LOOKOUT FOR PHISHING. Miscreants will be using the Adobe
breach as a pretext for phishing. Check infosec.yorku.ca regularly
for phishing information6. USE INFORMATION THAT IS NOT EASILY GUESSED. When providing password
hints use information that is not easily guessed or discovered. For
example, if your hint is "dog's name" and you mention your dog on social
networking sites miscreants can discover that information.REFERENCES:
[1] http://helpx.adobe.com/x-productkb/policy-pricing/ecc.html
[2] http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/
[3] http://www.yorku.ca/secretariat/policies/document.php?document=126
[4] http://infosec.yorku.ca/
