This past weekend, I checked my Twitter feed and I noticed I was suddenly following a bunch of accounts that I had never seen before. I immediately sensed something was up, which was confirmed when there were posts from me in Russian (note: I don't speak, nor can I write, Russian).
I immediately changed my password and revoked access to most apps that could access my Twitter feed. Changing my password ended up being a bit of a chore, but it eventually happened. Things have settled down and are back to normal.
What was particularly interesting about this was that right after I changed my password, I got an email from Adobe:
As we announced on October 3, Adobe discovered sophisticated attacks on our network involving the illegal access and removal of a backup database containing Adobe IDs and encrypted passwords. We are writing to let you know that your Adobe ID was in the database taken by the attackers -- but, importantly, your current password was not. As a result, we did not reset your password. We have no reason to believe that your Adobe ID account is at risk or that there has been unauthorized activity on your account. The database taken by the attackers came from a backup system that contained many out-of-date records and was designated to be decommissioned. Adobe’s authentication system of record, which cryptographically hashes and salts customer passwords, was not the source of the database that was taken. (Emphasis mine.)
How sweet of them to tell me this in a timely fashion. It's only been two and half months.
I heard of the (egregious) Adobe breach, but to my knowledge, I didn't have an Adobe account. Apparently I did, so I changed the password on it anyway, but Adobe's wording has me wondering a few things.
- Was my account "out-of-date" and about to be decommissioned?
- Were the "out-of-date" credentials hashed and salted?
- What constitutes "out-of-date" and what is the decommissioning process?
I highly suspect that the Adobe breach was the source of the hack here, and it's my fault for recycling passwords. I use a password manager but I probably created that Adobe account before I started using a password manager. My fault for not changing my Twitter password sooner, but Adobe sure didn't help matters.
Lesson learned. Slowly go through the hundreds of accounts I have, audit the passwords or delete the account where applicable.
And don't trust Adobe.