Adobe has reacted quickly after it admitted that its video conferencing service, Adobe Connect, has been compromised.
Adobe pulled down a forum for users of the Adobe Connect service, after a hacker successfully compromised the server and downloaded information on its 150,000 members.
The information taken from the server included each member’s name, username, company, title and email address as well as the hashed version of their password. In a statement posted to Pastebin on 13 November, the hacker – who claimed to be Egyptian – said that he would publicly post only the information for Adobe employees and users that work for the US Department of Defense or other government agencies.
“I’m not looking to ruin Adobe business so i will leak only (those) emails,” the post stated.
In a blog post on its Connect Blog, Adobe confirmed the compromise and briefly stated the steps it has taken to fix the issues, including pulling down the service on the evening of 13 November and resetting the password of the affected users. The company will send out instructions to users on resetting their password once it restores the service, Adobe said in a statement.
“It does not appear that any other Adobe services, including the Adobe Connect conferencing service itself, were impacted,” Guillaume Privat, Director of Adobe’s Connect product said in the post.
Adobe recommended that all users change their passwords and follow the practice of using a different password for every Web service.
Password reuse is a major cause for concern when Web services are compromised. An attacker that compromises a minor site with poor security can use a password file to gain access to people’s accounts on sites and services with stronger security. Following the compromise of Yahoo Voices, for example, one security researcher found that 60 percent of the people who used both the Yahoo service and were also members of Sony Pictures, which was breached in 2011, used the same password.
It will likely not be long before a significant portion of the password list is decrypted. Brute-force decryption techniques have advanced to the point where attackers can quickly decrypt the most common passwords from their hashes. For example, 80 percent of the list of LinkedIn password were decrypted.
The attack comes as Adobe has made very public efforts to weed out the vulnerabilities in its widely-used software, such as Adobe Acrobat and Flash. Since 2009, the company has focused on making its software harder to compromise and raising the level of effort that attackers have to expend to find and exploit vulnerabilities. Among the company’s major efforts: Adding automatic update mechanisms to its software and creating a secure product development lifecycle to find and fix vulnerabilities.
Despite Adobe’s efforts, the hacker cited the company’s allegedly slow response to issues as the reason for the latest attack.
“Adobe is a very big company but they don’t really take care of them security issues,” the hacker complained in the Pastebin post. “Such big companies should really respond very fast and fix the security issues as fast as they can.”
Are you a security guru? Try our quiz!
Originally published on eWeek.
Judge orders X, Starlink bank accounts unfrozen after $3.3m transfer pays off fines imposed on…
Uber expands deal with Waymo from Phoenix to Austin, Texas and Atlanta as it faces…
Discover how Generative AI is transforming the retail experience with personalised interactions, AI-powered search, and…
US House of Representatives passes bill restricting tax credits for electric vehicles using battery technology…
NASA to launch 'Europa Clipper' mission to Jupiter's moon Europa next month as it seeks…
National Crime Agency arrests 17-year-old in Walsall over hack of Transport for London that compromised…
View Comments
Title is misleading. The Adobe Connect service itself was not impacted. A user forum, connectusers.com did as you justly write in the body of the article.