According to Adobe’s blog, their popular conferencing software forum ConnectUsers.com has been breached through a SQL injection attack. Adobe has had to take it down, as they now go to rewrite the hashing algorithm used to store user passwords. Why? Because 150,000 usernames and passwords were stolen, with 230 of them shared online already by the hackers. Rumor is that almost 200 of those accounts have already been cracked due to the fact the passwords were simply hashed using MD5, without a salt.
If you do not understand why hashing passwords with stronger algorithms like SHA512 with a salt is important, consider checking out the episode of Crack the Cred that I did on hashing. You can watch it in the video below:
It goes to show that weak passwords reused on one site could very well expose you to risk on others. Adobe did the right thing and took the system offline. According to Arstechnica they have been in contact with the company and the Adobe engineers are updating the password schema and resetting everyone’s passwords before the forum is brought back online. While the damage is done and shared credentials may very well surface on the Internet, the lesson we can learn here is we should NEVER reuse passwords across websites. The risk is far great that it could be shared, stolen or guessed.
Of course, if you are a user of Adobe Connect and have an account on the forum, I’d recommend that you change it when the forum comes back online. Use the AuthAnvil Password Server and generate a complex random password that you can store and forget until you need it.