Skip navigation

A quick blog post over Adobe recent leak of customers data.

Earlier this month, Adobe announced a leak of 2.9M users personal information (including encrypted credit card data). During last weeks, some partial dump that were announced to be linked with this leak were published online but nothing really interesting was published until 24th October when someone published a link to a file called users.tar.gz on Anonews forum (the thread was deleted, google cache). Since the file was hosted on a hacked server, it was quickly deleted and nearly nobody was able to download it. Nearly. On 29th October a post on a Russian “underground” forum linked to two files : ldap.tar.gz (8.2MB) and users.tar.gz (3.8GB). Thanks to m3g9tr0n we were able to get them and to start analyzing them.

About the ldap.tar.gz file : It contains 68276 emails addresses (including 64837 address ending in @adobe.com). It seems to be a dump of an internal LDAP server but there are no password information.

About the users.tar.gz file : It contains 153.004.870 lines which format is : <some uid> -|–|- <email address> -|- <base64 of encrypted password>-|- <password hint>|–

We weren’t able to determine the algorithm used by adobe to encrypt their passwords but we think that they *may* be (simple or triple) DES or Blowfish (in CBC or ECB block mode) (UPDATE : Adobe acknowledged that it is Triple DES and it is definitively using ECB block mode). Some people stated that the password were encrypted using some kind of “modified sha1” or “double DES”. They are not. Some more statistics about the passwords : there are 130.325.717 nonempty passwords fields and only 56.045.364 unique passwords. Since the encryption algorithm uses 64 bits blocs (8 characters), we can deduce passwords’ range length distribution : 50M are between 1 and 7 characters long, nearly 80M passwords are between 8 and 15 characters long, 58k are between 16 and 23 characters long and 5.6k are between 24 and 31 characters long. (UPDATE : Jeremi Gosney analyzed the passwords count and the hints and was able to make a top 100 of the passwords used(mirror of the stats here))

About the email addresses : there are many faulty addresses (e.g. : gmail.comm, <email service provider><password> (they forgot to press the tabulation key), some other mistakes or some fake email addresses) but we can make some statistics about email providers : 35.842.643 emails accounts are from hotmail.(com|fr|co.uk|de) (in this extension order), 24.476.674 are hosted on gmail.com or googlemail.com, 24.588.216 are from yahoo‘s email service and 3.478.697 are from aol.com.

And here we are at the moment since we can’t crack those password.

PS: m3g9tr0n pointed out it would be better to include the command lines I used to give those statistics, here they are :

To get a list of of the content of the n-th field (emails : n = 3, passwords : n = 4), I used this command (here in the case of emails):

cut -d\| -f3 cred | sed -rs 's/^-//' > emails

To get a list of mail service providers with count, I ran this command :
cut -d@ -f2- emails | sort --parallel=2 -S2G | uniq -c | sort -rn > email_providers
The

--parallel

flag makes sort use multiple processes to run faster while the -S flag permits to use more memory (and thus avoid writing temporary files on the disk which will slow down the sorting).

To get the count of Hotmail’s mail addresses I used this command line :
grep -P '\shotmail\.(com|fr|co\.uk|de)$' emails_providers | awk '{s+=$1} END {print s}'

This commands adds the different counts (in the first columns) and then prints it.

9 Comments

  1. can you give me a download link? tks :)

  2. Actually, I would like to look at the file for one exact reason – to see if one of my email addresses are among them.
    I have of course changed my password but I would like to see if I am among those affected.

    • sdf
    • Posted 4 novembre 2013 at 16 h 17 min
    • Permalink

    top 100 password link you posted is dead, here is a working link: http://stricture-group.com/files/adobe-top100.txt

    • hydraze
    • Posted 6 novembre 2013 at 18 h 14 min
    • Permalink

    @sdf: I updated the article with your link, thanks.
    @Henning: the mail address you used to post your comment was NOT in the dump.

    • El Servas
    • Posted 14 novembre 2013 at 0 h 54 min
    • Permalink

    Lastpass.com has an online tool to check the emails that were compromised:

    https://lastpass.com/adobe/

  3. Here is a faster and safer ways to extract the users emails from the tar.gz file:
    zcat users.tar.gz | perl -nE ‘my (undef, undef, $email) = split(/-\|-/); say $email’ > emails.txt

    Optionally, the emails can be sorted:
    sort emails.txt –parallel=2 –unique –output=sorted_emails.txt –temporary-directory=.

    Some of the emails are invalid. Here is perl script to filter the right ones:

    # usage: perl script.pl input.txt output.txt

    use 5.010;
    use Email::Valid;

    open my $in_fh,  », shift;

    while () {
    chomp;
    Email::Valid->address($_) && say $out_fh $_;
    }

    __END__

    Now, using a binary search algorithm you can search for known emails inside the list.

    • dv98
    • Posted 5 décembre 2013 at 21 h 55 min
    • Permalink

    the command cut -d\| -f3 cred | sed -rs ‘s/^-//’ > emails
    return an list with the caracter « - » in the end of each email.
    how-to remove this ?

    • hydraze
    • Posted 5 décembre 2013 at 22 h 01 min
    • Permalink

    Pipe the command with “| sed -rs ‘s/-$//’” (or just append the substitution rule to the last one, prepending it with a semi-colon).

    • Oz
    • Posted 25 janvier 2014 at 13 h 07 min
    • Permalink

    Hi Trizen

    I have tried the validation script but when I ran it , I got the below error:

    $ perl script.pl email.txt output.txt
    Can’t locate Email/Valid.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.1 4/x86_64-cygwin-threads /usr/lib/perl5/site_perl/5.14 /usr/lib/perl5/vendor_perl /5.14/x86_64-cygwin-threads /usr/lib/perl5/vendor_perl/5.14 /usr/lib/perl5/5.14/ x86_64-cygwin-threads /usr/lib/perl5/5.14 .) at script.pl line 4.
    BEGIN failed–compilation aborted at script.pl line 4.

    any idea how to fix that.

    thanks in advance


Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Vous pouvez utiliser ces balises et attributs HTML : <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

What is 6 + 4 ?
Please leave these two fields as-is: