Adobe pulled down a forum for users of its video conferencing service, Adobe Connect, after a hacker successfully compromised the server and downloaded information on its 150,000 members.
The information taken from the server included each member’s name, username, company, title and email address as well as the hashed version of their password. In a statement posted to Pastebin on Nov. 13, the hacker—who claimed to be Egyptian—said that he would publicly post only the information for Adobe employees and users that work for the U.S. Department of Defense or other government agencies.
“I’m not looking to ruin Adobe business so i will leak only (those) emails,” the post stated.
The compromise of Adobe’s ConnectUsers Forum is the latest breach of a major corporate Web service in the past two years. Hackers stole the passwords for 6.5 million LinkedIn users in June and leaked the passwords of approximately 400,000 Yahoo! Voices users in July.
In a blog post on its Connect Blog, Adobe confirmed the compromise and briefly stated the steps it has taken to fix the issues, including pulling down the service on the evening of Nov. 13 and resetting the password of the affected users. The company will send out instructions to users on resetting their password once it restores the service, Adobe said in a statement.
“It does not appear that any other Adobe services, including the Adobe Connect conferencing service itself, were impacted,” Guillaume Privat, director of Adobe’s Connect product said in the post.
Adobe recommended that all users change their passwords and follow the practice of using a different password for every Web service.
Password reuse is a major cause for concern when Web services are compromised. An attacker that compromises a minor site with poor security can use a password file to gain access to people’s accounts on sites and services with stronger security. Following the compromise of Yahoo Voices, for example, one security researcher found that 60 percent of the people who used both the Yahoo service and were also members of Sony Pictures, which was breached in 2011, used the same password.
It will likely not be long before a significant portion of the password list is decrypted. Brute-force decryption techniques have advanced to the point where attackers can quickly decrypt the most common passwords from their hashes. For example, 80 percent of the list of LinkedIn password were decrypted.
The attack comes as Adobe has made very public efforts to weed out the vulnerabilities in its widely used software, such as Adobe Acrobat and Flash. Since 2009, the company has focused on making its software harder to compromise and raising the level of effort that attackers have to expend to find and exploit vulnerabilities. Among the company’s major efforts: Adding automatic update mechanisms to its software and creating a secure product development lifecycle to find and fix vulnerabilities.
Despite Adobe’s efforts, the hacker cited the company’s allegedly slow response to issues as the reason for the latest attack.
“Adobe is a very big company but they don’t really take care of them security issues,” the hacker complained in the Pastebin post. “Such big companies should really respond very fast and fix the security issues as fast as they can.”