This past weekend, I checked my Twitter feed and I noticed I was
suddenly following a bunch of accounts that I had never seen before. I
immediately sensed something was up, which was confirmed when there were
posts from me in Russian (note: I don't speak, nor can I write,
I immediately changed my password and revoked access to most apps that
could access my Twitter feed. Changing my password ended up being a bit
of a chore, but it eventually happened. Things have settled down and are back to normal.
What was particularly interesting about this was that right after I
changed my password, I got an email from Adobe:
As we announced on October 3, Adobe discovered sophisticated attacks on
our network involving the illegal access and removal of a backup
database containing Adobe IDs and encrypted passwords. We are writing to
let you know that your Adobe ID was in the database taken by the
attackers -- but, importantly, your current password was not. As a
result, we did not reset your password. We have no reason to believe
that your Adobe ID account is at risk or that there has been
unauthorized activity on your account. The database taken by the
attackers came from a backup system that contained many out-of-date
records and was designated to be decommissioned. Adobe’s
authentication system of record, which cryptographically hashes and
salts customer passwords, was not the source of the database that was
taken. (Emphasis mine.)
How sweet of them to tell me this in a timely fashion. It's only been
two and half months.
I heard of the (egregious) Adobe breach, but to my knowledge, I didn't
have an Adobe account. Apparently I did, so I changed the password on
it anyway, but Adobe's wording has me wondering a few things.
Was my account "out-of-date" and about to be decommissioned?
- Were the "out-of-date" credentials hashed and salted?
- What constitutes "out-of-date" and what is the decommissioning
I highly suspect that the Adobe breach was the source of the hack here,
and it's my fault for recycling passwords. I use a password manager but I
probably created that Adobe account before I started using a password
manager. My fault for not changing my Twitter password sooner, but
Adobe sure didn't help matters.
Lesson learned. Slowly go through the hundreds of accounts I have,
audit the passwords or delete the account where applicable.
And don't trust Adobe.