Why the Adobe breach means you should change your Facebook (and other) passwords: SSO Alert Priority Moderate
18 November 2013
The recent, Adobe data breach, has prompted Facebook to force a password reset for any user it suspects of reusing their compromised Adobe password on its site.
A number of other sites have followed suit, with more likely to do so in the future.
If you reuse your passwords on multiple sites, the compromise of one site means you are exposed anywhere else you use that information.
If you use your Adobe password anywhere else, you should change them as soon as possible.
The Adobe breach included the loss of encrypted passwords for between 38 million and 150 million users.
Many, if not all of these encrypted passwords have already been guessed or even unencrypted. It means that your email address and password stored with Adobe, is known by hackers, who will invariably be looking for other places where this might be reused.
Because so many people commonly reuse the same password across many of the sites they use, Facebook acted to protect its users by analysing the breached data to identify any of its customers who reused the same email and password on Facebook.
Facebook has sent a notification to affected users it identified and if required, you will have been forced to change your password. If you think you might have reused your password from Adobe on any other sites, you should change them.
How can passwords be cracked?
At a very basic level, one method is to look at the passwords most commonly used by people. These are likely to appear a greater number of times in such a large list. It is relatively easy for people to sort the lists and begin to logically guess many of the most common passwords, and because of the encryption Adobe used as well as other easily established or known information like password hints, the encrypted password list is, essentially (if not actually) cracked.
‘123456’, ‘123456789’, ‘qwerty’, ‘iloveyou’ and ‘password’ are always amongst the most popular passwords, and with minimal effort, Top 20, and Top 100 password lists from the Adobe breach have quickly emerged. If your password resembles any of these, it’s far too weak.
This example highlights why it is so important to use a strong and unique password for each site you visit.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.