Skip navigation

Tag Archives: infosec

A quick blog post over Adobe recent leak of customers data.

Earlier this month, Adobe announced a leak of 2.9M users personal information (including encrypted credit card data). During last weeks, some partial dump that were announced to be linked with this leak were published online but nothing really interesting was published until 24th October when someone published a link to a file called users.tar.gz on Anonews forum (the thread was deleted, google cache). Since the file was hosted on a hacked server, it was quickly deleted and nearly nobody was able to download it. Nearly. On 29th October a post on a Russian “underground” forum linked to two files : ldap.tar.gz (8.2MB) and users.tar.gz (3.8GB). Thanks to m3g9tr0n we were able to get them and to start analyzing them.

About the ldap.tar.gz file : It contains 68276 emails addresses (including 64837 address ending in @adobe.com). It seems to be a dump of an internal LDAP server but there are no password information.

About the users.tar.gz file : It contains 153.004.870 lines which format is : <some uid> -|–|- <email address> -|- <base64 of encrypted password>-|- <password hint>|–

We weren’t able to determine the algorithm used by adobe to encrypt their passwords but we think that they *may* be (simple or triple) DES or Blowfish (in CBC or ECB block mode) (UPDATE : Adobe acknowledged that it is Triple DES and it is definitively using ECB block mode). Some people stated that the password were encrypted using some kind of “modified sha1” or “double DES”. They are not. Some more statistics about the passwords : there are 130.325.717 nonempty passwords fields and only 56.045.364 unique passwords. Since the encryption algorithm uses 64 bits blocs (8 characters), we can deduce passwords’ range length distribution : 50M are between 1 and 7 characters long, nearly 80M passwords are between 8 and 15 characters long, 58k are between 16 and 23 characters long and 5.6k are between 24 and 31 characters long. (UPDATE : Jeremi Gosney analyzed the passwords count and the hints and was able to make a top 100 of the passwords used(mirror of the stats here))

About the email addresses : there are many faulty addresses (e.g. : gmail.comm, <email service provider><password> (they forgot to press the tabulation key), some other mistakes or some fake email addresses) but we can make some statistics about email providers : 35.842.643 emails accounts are from hotmail.(com|fr|co.uk|de) (in this extension order), 24.476.674 are hosted on gmail.com or googlemail.com, 24.588.216 are from yahoo‘s email service and 3.478.697 are from aol.com.

And here we are at the moment since we can’t crack those password.

PS: m3g9tr0n pointed out it would be better to include the command lines I used to give those statistics, here they are :

To get a list of of the content of the n-th field (emails : n = 3, passwords : n = 4), I used this command (here in the case of emails):

cut -d\| -f3 cred | sed -rs 's/^-//' > emails

To get a list of mail service providers with count, I ran this command :
cut -d@ -f2- emails | sort --parallel=2 -S2G | uniq -c | sort -rn > email_providers
The

--parallel

flag makes sort use multiple processes to run faster while the -S flag permits to use more memory (and thus avoid writing temporary files on the disk which will slow down the sorting).

To get the count of Hotmail’s mail addresses I used this command line :
grep -P '\shotmail\.(com|fr|co\.uk|de)$' emails_providers | awk '{s+=$1} END {print s}'

This commands adds the different counts (in the first columns) and then prints it.