Secure User Data with Hashed Passwords, Salts and Iterations

Lessons from Adobe's breach and heartbreak for Cupid Media's users

Recently, I commented on the Adobe breach in a post titled “How Secure is Your Old and Inactive User Data?”  The next week I followed up with, “Adobe’s Breach Widens.” It was then that Heather Edell, Adobe’s Senior Manager of Corporate Communications contacted me directly with a few details about how Adobe is responding to some of the 38 million customers whose data was made vulnerable by the breach:

Customers whose credit or debit card information was involved are receiving a notification letter from us with additional information on steps they can take to help protect themselves against potential misuse of personal information about them.

I appreciated the email from Heather. The Adobe web page is very good with a lot of details, and jives with what Brian Krebs and others outlined.

I’ll also take this as a polite way to say that no, the email-address-only losses aren’t going to be notified. We’ll agree to disagree on that.

Related to the Adobe breach, Brian Krebs also reported that Facebook mined that data to alert Facebook users that their password may have been compromised, and put their accounts into a recovery limbo. Kudos to Facebook!

Brian Krebs has a new story to top the Adobe one. On the same server where the Adobe accounts were found, there were 42 million accounts from Cupid Media a “Niche Online Dating” service. These included *plaintext* passwords, along with names, email addresses, and date of birth. They also embarrassed themselves to Krebs; read his article for details. Cupid Media’s web site is down as I write this.

Let me speak to anyone involved in any web business. It isn’t a matter of *if* you’re going to get hacked. Someday, something will happen. Take the precaution beforehand, and make sure you do a salted, iterated hash of passwords and store that. There is a good article on Crackstation on the whys, hows, and where things can go wrong. I found them by typing “*salted iterated hash password*” into my favorite search engine. It’s not hard. Also note that if you’ve stored them in plaintext, it’s *easy* to upgrade your database.

Here is another suggestion. Make sure that you have an email address for *security* at your domain. Make sure it forwards to a handful of level-headed senior people in your company. One or two in development, operations, customer support, etc. Level-headed is key, because people will tell you problems with your site and products. Thank them! As much as it hurts to be told about problems, these people are trying to help you.

* * *

Letter from Heather Edell, Adobe’s Senior Manager of Corporate Communications:

I’d like to provide you with the up-to-date information on what we’re doing to help our customers through this process.

As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. Customers whose user ID and password were involved are receiving an email notification from Adobe with information on how to change their password. We also recommend that customers change their passwords on any website where they may have used the same user ID and password.

We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. Customers whose credit or debit card information was involved are receiving a notification letter from us with additional information on steps they can take to help protect themselves against potential misuse of personal information about them. We have also notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership.

We continue to work diligently internally, as well as with external partners, to address the incident. We have contacted federal law enforcement and are assisting in their investigation.

Adobe has set up a Customer Support page to provide customers with more information here.

tags: