Attacks/Breaches
11/14/2012
04:23 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Adobe Hacker Says He Used SQL Injection To Grab Database Of 150,000 User Accounts

Exposed passwords were MD5-hashed and 'easy to crack' via free cracking tools, he says

Adobe today confirmed that one of its databases has been breached by a hacker and that it has temporarily taken offline the affected Connectusers.com website.

The attacker who claimed responsibility for the attack, meanwhile, told Dark Reading that he used a SQL injection exploit in the breach.

Adobe's confirmation of the breach came in response to a Pastebin post yesterday by the self-proclaimed Egyptian hacker who goes by "ViruS_HimA." He says he hacked into an Adobe server and dumped a database of 150,000 emails and passwords of Adobe customers and partners; affected accounts include Adobe employees, U.S. military users including U.S. Air Force users, and users from Google, NASA, universities, and other companies.

The hacker, who also goes by Adam Hima, told Dark Reading that the server he attacked was the Connectusers.com Web server, and that he exploited a SQL injection flaw to execute the attack. "It was an SQL Injection vulnerability -- somehow I was able to dump the database in less requests than normal people do," he says.

Users passwords for the Adobe Connect users site were stored and hashed with MD5, he says, which made them "easy to crack" with freely available tools. And Adobe wasn't using WAFs on the servers, he notes.

"I just want to be clear that I'm not going against Adobe or any other company. I just want to see the biggest vendors safer than this," he told Dark Reading. "Every day we see attacks targeting big companies using Exploits in Adobe, Microsoft, etc. So why don't such companies take the right security procedures to protect them customers and even themselves?"

The hacker leaked only some of the affected emails, including some from @ "adobe.com", "*.mil", and "*.gov," with a screen shot in his Pastebin post, where he first noted that his leak was because Adobe was slow to respond to vulnerability disclosures and fixes.

"Adobe is a very big company but they don't really take care of them security issues, When someone report vulnerability to them, It take 5-7 days for the notification that they've received your report!!" he wrote. "It even takes 3-4 months to patch the vulnerabilities!"

Adobe didn't provide details of how the breach occurred. Guillaume Privat, director of Adobe Connect, in a blog post this afternoon said Adobe took the Connectusers.com forum website offline last night and is working on getting passwords reset for the affected accounts, including contacting the users. Connect is Adobe's Web conferencing, presentation, online training, and desktop-sharing service. Only the user forum was affected.

"Adobe is currently investigating reports of a compromise of a Connectusers.com forum database. These reports first started circulating late during the day on Tuesday, November 13, 2012. At this point of our investigation, it appears that the Connectusers.com forum site was compromised by an unauthorized third party. It does not appear that any other Adobe services, including the Adobe Connect conferencing service itself, were impacted," Privat said.

This is the second public breach of the software firm this year. In October, Adobe revealed that an internal server with access to its digital certificate code-signing infrastructure was hacked by "sophisticated threat actors."

The attackers had created at least two malicious files that they digitally signed with a valid Adobe digital certificate. Adobe revoked the certificate and issued updates for its software signed by it, including Windows-based apps and Adobe AIR.

Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post. He found that the list appears to be valid and that the hacked database is relatively old. "I have analyzed some of the leaked data and compared some names in that leaked files against linkedin.com and found out they did work for Adobe but no longer employed there," he says. "The list include both Adobe and other companies email, which suggests that this may be a customer related" database, he says.

The Adobe hacker Hima, meanwhile, warned in his post that his next leak would be for Yahoo. Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mday55401
50%
50%
mday55401,
User Rank: Apprentice
11/20/2012 | 5:29:03 PM
re: Adobe Hacker Says He Used SQL Injection To Grab Database Of 150,000 User Accounts
Could be a lot worse. This problem looks like Adobe doesn't keep their software patches up to date. Maybe their IT department needs a kick in the pants to wake them up
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7877
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.