The tentacles of the massive Adobe breach, called one of the worst in U.S. history by one security expert, have reached Facebook users, specifically those who used the same email and password combination for the social network as well as Adobe.
A Facebook representative confirmed to Threatpost today that users in that situation are being presented with a message telling them they have to change their passwords.
“We actively look for situations where the accounts of people who use Facebook could be at risk—even if the threat is external to our service,” Facebook’s Jay Nancarrow said in a statement. “When we find these situations, we present messages to people to help them secure their accounts.”
The data from the Adobe breach, disclosed in early October, was discovered online by blogger Brian Krebs and Hold Security CEO Alex Holden. The software giants were breached by unknown Russian-speaking attackers who were able to steal source code for Adobe products such as Acrobat, ColdFusion and Photoshop. Adobe initially said up to three million customer records were also compromised, including encrypted passwords and credit card numbers. That number was adjusted to upwards of 40 million after more of the data surfaced online. Analysis of the encrypted passwords revealed that Adobe had used a weak encryption scheme to secure the credentials; the passwords were secured with a symmetric encryption cipher, meaning that anyone able to guess the key can unlock all of the passwords in question.
Facebook said it has been combing through the passwords looking for matching username-password combinations in order to keep its users’ accounts secure. Chris Long, a Facebook security team member, confirmed this in a comment posted on Krebs on Security.
“We used the plaintext passwords that had already been worked out by researchers,” Long said. “We took those recovered plaintext passwords and ran them through the same code that we use to check your password at log-in time.
“We’re proactive about finding sources of compromised passwords on the Internet. Through practice, we’ve become more efficient and effective at protecting accounts with credentials that have been leaked, and we use an automated process for securing those accounts.”
In the meantime, a 20-year-old from the Netherlands who goes by the handle Lucb1e built a tool that facilitates a search of the stolen data for a user’s email address or partial address. The tool is still online, though Lucb1e said it won’t be forever.
“Searching a 10GB file is not trivial, so instead of searching it for everyone individually, I wrote a program that does it in the background (daemon),” he wrote. “Whenever someone adds a search, it is added to the database. The daemon checks every few seconds whether any (and how many ) searches have been added, and runs all searches at the same time.”
Adobe was compromised between July 31 and Aug. 15, but the breach was not discovered for more than a month. Adobe disclosed the breach to its customers on Oct. 3 and has yet to provide details on how attackers were able to bypass its defenses. Krebs and Holden found 40 GB of data stolen from Adobe and other organizations on the same server used by criminals who pulled off breaches against LexisNexis and Dun & Bradstreet. These same attackers are believed to be responsible for a number of breaches using ColdFusion exploits going back to December of last year.