> series: anatomy_of_a_breach —— part: 057 —— target: adobe —— accounts: 153,000,000 —— password_storage: 3des_ecb<span class="cursor-blink">_</span>_
On 3 October 2013, Adobe disclosed that attackers had accessed its network and stolen customer data and source code. Adobe initially reported 2.9 million affected accounts. Within weeks, security researcher Brian Krebs reported that the actual number was at least 38 million — and when the full database was published online, it contained 153 million records, making it the largest data breach ever reported at the time.
The breach was remarkable not just for its scale but for its technical failures. Adobe had stored passwords using 3DES symmetric encryption in ECB (Electronic Codebook) mode — not one-way hashing. This meant identical passwords produced identical ciphertexts, allowing researchers to identify the most common passwords through frequency analysis and cross-reference them with the unencrypted password hints that Adobe had also stored. The combination of ECB-mode encryption and plaintext hints made the 153-million-record database a masterclass in how not to store passwords. Additionally, the attackers stole source code for Adobe Acrobat, ColdFusion, and ColdFusion Builder — potentially exposing zero-day vulnerabilities in products installed on millions of systems worldwide.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallAdobe's password storage was a case study in doing everything wrong. Instead of using a one-way hash (like bcrypt or even SHA-256 with salt), Adobe used 3DES symmetric encryption — meaning the passwords could theoretically be decrypted if the key was obtained. Worse, they used ECB mode, which encrypts each block independently — meaning identical passwords always produce identical ciphertexts. This allowed researchers to identify that millions of users shared the same password simply by looking for repeated ciphertext values.
| Adobe's Approach | Why It Was Wrong | Correct Approach |
|---|---|---|
| 3DES encryption (reversible) | Encryption can be reversed with the key. Passwords should never be recoverable. If the key is compromised, all passwords are exposed instantly. | bcrypt/Argon2 hashing (one-way) — Our password assessments verify correct implementations. |
| ECB mode (pattern-preserving) | Identical inputs produce identical outputs. Frequency analysis reveals common passwords without cracking. | Any non-ECB mode — or better, use hashing which has no 'mode' concept. |
| Plaintext password hints stored | Hints like 'my dog's name' next to the encrypted password make cracking trivial through cross-referencing. | No password hints — use password reset flows instead. |
| Single key for all passwords | One key encrypts all 153M passwords. Compromise the key, compromise them all. | Per-password salt — each password gets unique salt, preventing bulk attacks. |
Beyond the customer data, the attackers stole source code for Adobe Acrobat, ColdFusion, and ColdFusion Builder. Acrobat is installed on hundreds of millions of computers worldwide; ColdFusion powers thousands of web applications including government and enterprise systems. Access to the source code would allow attackers to discover zero-day vulnerabilities far more efficiently than through black-box testing — potentially enabling targeted attacks against organisations running these products for years to come.
This source code theft parallels the Operation Aurora attack on Google and Adobe in 2010, where source code was also a primary target. For organisations running Adobe products, the stolen source code increased their risk profile — and underscored the importance of prompt patching when Adobe releases security updates. Cyber Essentials Danzell mandates 14-day critical patching for exactly this reason.
The Adobe breach database became one of the most widely circulated credential datasets in history — appearing on Have I Been Pwned, on dark web marketplaces, and as a standard component of credential-stuffing attack toolkits. The combination of 153 million email addresses with cracked passwords fuelled account takeover attacks across the internet for years.
For UK organisations, the Adobe breach reinforced three critical lessons: password storage must use proper hashing (our application testing verifies this), MFA must be deployed to break the credential-reuse chain (Cyber Essentials Danzell mandates this), and dark web monitoring through SOC in a Box must detect when your users' credentials appear in breach databases. For incident response, UK Cyber Defence provides the capability to assess and respond to credential compromise.
Our <a href="/penetration-testing/web-application">application testing</a> verifies password storage. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors dark web breach databases. <a href="/cyber-essentials">Cyber Essentials</a> mandates MFA.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call