A few weeks ago Adobe warned customers they had to change passwords to their accounts because sophisticated attacks on its network accessed customer information of some 2.9 million people as well as source code for a number of products.
The data include names, encrypted credit or debit card numbers. At this point, the notice said, Adobe didn’t believe unencrypted data was removed. Customers were told they’d have to change their passwords, just to be safe.
But according to a report in Ars Technica, Adobe made a mistake in the way it held customer passwords: It used reversible encryption on the stolen customer file, meaning that thieves could unscramble the encryption and access the data.
By contrast best practices call for stored passwords to be protected by one-way cryptographic hashing algorithms, the article says.
Author Dan Goodin acknowledges breaking the encryption won’t be easy, he quotes one expert as saying hackers may have one thing going for them in the way Adobe did the encryption.
The article does quote Adobe saying the authentication system attacked was a backup system, not a newer system that uses other security techniques.
One lesson for those responsible for IT security is to make sure your organization is following best practices.