Adobe's 153 Million Account Breach and Embarrassing Password Hints
Adobe stored 153 million user passwords encrypted with 3DES and identical IVs — effectively equivalent to no encryption. Users' own password hints accidentally revealed the passwords of millions.
Background
Adobe Creative Cloud and its associated products had tens of millions of active users in 2013. Like many companies of the era, Adobe used outdated cryptographic practices.
The Attack
Attackers breached Adobe's internal systems and exfiltrated a database of 153 million user records including email addresses, encrypted passwords, and unencrypted password hints. Adobe used 3DES encryption — a symmetric block cipher — rather than a proper one-way hashing function. Because Adobe reused the same encryption key and IV across all passwords, identical passwords produced identical ciphertext. This meant users with common passwords were trivially identifiable. Worse, the password hints field — stored in plaintext — often contained the exact password.
Response
Adobe disclosed the breach in October 2013, initially claiming 2.9 million accounts. The true figure of 153 million emerged when the database appeared online. Adobe invalidated all affected passwords, notified users, and offered free credit monitoring. The company migrated to proper password hashing.
Outcome
The breach was uniquely embarrassing: security researchers were able to determine the most common passwords simply by grouping identical ciphertext blocks. "123456" was used by nearly 2 million Adobe users. The company settled with state attorneys general for $1.1 million.
Key Takeaways
- Passwords must be hashed with a purpose-built one-way function, never encrypted with a reversible cipher
- Never store password hints in plaintext — they frequently reveal the password itself
- Use unique salts per password to prevent identical passwords from having identical hashes
- Initial breach disclosures routinely undercount the true scope — plan for the larger number