Adobe has reacted quickly after it admitted that its video conferencing service, Adobe Connect, has been compromised.
Adobe pulled down a forum for users of the Adobe Connect service, after a hacker successfully compromised the server and downloaded information on its 150,000 members.
The information taken from the server included each member’s name, username, company, title and email address as well as the hashed version of their password. In a statement posted to Pastebin on 13 November, the hacker – who claimed to be Egyptian – said that he would publicly post only the information for Adobe employees and users that work for the US Department of Defense or other government agencies.
“I’m not looking to ruin Adobe business so i will leak only (those) emails,” the post stated.
In a blog post on its Connect Blog, Adobe confirmed the compromise and briefly stated the steps it has taken to fix the issues, including pulling down the service on the evening of 13 November and resetting the password of the affected users. The company will send out instructions to users on resetting their password once it restores the service, Adobe said in a statement.
“It does not appear that any other Adobe services, including the Adobe Connect conferencing service itself, were impacted,” Guillaume Privat, Director of Adobe’s Connect product said in the post.
Adobe recommended that all users change their passwords and follow the practice of using a different password for every Web service.
Password reuse is a major cause for concern when Web services are compromised. An attacker that compromises a minor site with poor security can use a password file to gain access to people’s accounts on sites and services with stronger security. Following the compromise of Yahoo Voices, for example, one security researcher found that 60 percent of the people who used both the Yahoo service and were also members of Sony Pictures, which was breached in 2011, used the same password.
It will likely not be long before a significant portion of the password list is decrypted. Brute-force decryption techniques have advanced to the point where attackers can quickly decrypt the most common passwords from their hashes. For example, 80 percent of the list of LinkedIn password were decrypted.
The attack comes as Adobe has made very public efforts to weed out the vulnerabilities in its widely-used software, such as Adobe Acrobat and Flash. Since 2009, the company has focused on making its software harder to compromise and raising the level of effort that attackers have to expend to find and exploit vulnerabilities. Among the company’s major efforts: Adding automatic update mechanisms to its software and creating a secure product development lifecycle to find and fix vulnerabilities.
Despite Adobe’s efforts, the hacker cited the company’s allegedly slow response to issues as the reason for the latest attack.
“Adobe is a very big company but they don’t really take care of them security issues,” the hacker complained in the Pastebin post. “Such big companies should really respond very fast and fix the security issues as fast as they can.”
Are you a security guru? Try our quiz!
Originally published on eWeek.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Title is misleading. The Adobe Connect service itself was not impacted. A user forum, connectusers.com did as you justly write in the body of the article.