Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Grabs 150k Adobe User Accounts Via SQL Injection

Posted by samzenpus on from the breaking-in dept.

CowboyRobot writes "Adobe today confirmed that one of its databases has been breached by a hacker and that it had temporarily taken offline the affected Connectusers.com website. The hacker, who also goes by Adam Hima, told Dark Reading that the server he attacked was the Connectusers.com Web server, and that he exploited a SQL injection flaw to execute the attack. 'It was an SQL Injection vulnerability, somehow I was able to dump the database in less requests than normal people do,' he says. Users passwords for the Adobe Connectusers site were stored and hashed with MD5, he says, which made them 'easy to crack' with freely available tools. And Adobe wasn't using WAFs on the servers, he notes. Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post and found that the list appears to be valid and that the hacked database was relatively old."

13 of 64 comments (clear)

  1. Adobe has bad security practices? by travbrad · · Score: 4, Insightful

    A shocking revelation

    1. Re:Adobe has bad security practices? by fuzzyfuzzyfungus · · Score: 4, Funny

      This is big news! Adobe has long been a dominant vendor in the market for atrocious desktop security; but here they are demonstrating their capacity for 'big data' and 'cloud-centric' server insecurity solutions. Even better, since the breach compromised the security of numerous individuals at third party companies, I'd say that this is a strong play for the lucrative 'managed insecurity' market enabled by the trend toward IT outsourcing...

      I, for one, am downright bullish about Adobe's prospects for subtracting value from the software ecosystem in new and exciting markets!

  2. Unforgivable by geekoid · · Score: 4, Informative

    SQL injection? what is this, 1993?

    .

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    1. Re:Unforgivable by Nyder · · Score: 5, Funny

      SQL injection? what is this, 1993?

      .

      About right, I think they took security out of the budget in 1992.

      --
      Be seeing you...
    2. Re:Unforgivable by a_hanso · · Score: 4, Funny

      Actually, a bank analogy is more like you walking up to the bank manager and saying "Hi, I have a complaint about a $100 discrepancy in my WRITE DOWN YOUR BANK VAULT COMBINATION." and the manager hypnotically doing just that.

  3. Poor security standards by NetNinja · · Score: 3, Insightful

    Poor network security standards.

    A simple Web Application Firewall would have prevented that.

    If they can't do something as simple as secure thier own website, thier products are even worse.

    1. Re:Poor security standards by El_Oscuro · · Score: 3, Insightful

      I'm not sure how a firewall would prevent SQL injection, as the attack pass through the normal HTTP/HTTPS traffic and their own crappy web application is the attack vector. Then again, setting up any firewall is far more complex than the few lines of code or bind variables need to stop SQL injection attacks.

      --
      "Be grateful for what you have. You may never know when you may lose it."
    2. Re:Poor security standards by ark1 · · Score: 4, Informative

      A Web Application Firewall will inspect layer 7 traffic and can provide some protection against layer 7 attacks such as SQL injections. They act more like Intrusion Detection/Prevention Systems rather than traditional network firewalls.

    3. Re:Poor security standards by El_Oscuro · · Score: 5, Insightful

      That is cool. It is nice that you can configure firewalls to protect against layer 7 attacks. It is a great part of defence in depth. If I set up the firewalls I would do this. Of course I don't, and the bureaucracy makes the Vogons look nimble. They would feed their own grandmother to the Ravenous Bugblater Beast of Traal rather than change the rules. And of course, some other "developer" with some clout would get an exception so his craptastic application still works.

      I love the idea of a Firewall protecting my app, but would rather write the 2 lines of code to ensure my app doesn't get pwned if it doesn't for whatever reason.

      --
      "Be grateful for what you have. You may never know when you may lose it."
  4. Something tells me you will be disappointed... by denzacar · · Score: 4, Funny

    http://www.securityweek.com/authors/tal-beery

    --
    Mit der Dummheit kämpfen Götter selbst vergebens
  5. How the heck would he know?!? by Kergan · · Score: 3, Interesting

    Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post and found that the list appears to be valid and that the hacked database was relatively old.

    Color me puzzled... How the heck does Mr Beery have the slightest damn clue that the list appears to be valid and that -- even more incredibly -- the database was relatively old? He's hacking it every day?

  6. Don't really need daily hacker updates anymore by Andy+Prough · · Score: 4, Funny

    A simple once-per-year post reminding us that ALL of our private data has been sucked out of insecure online databases and is being sold on the Russian (or Indonesian or Egyptian or Chinese or Pennsylvanian) black-market should suffice.

  7. Re:What's a WAF? by Zaiff+Urgulbunger · · Score: 4, Informative

    Yeah, I blame the editors too -- quite frankly, standards here have slipped!

    Anyway, thanks for all the replies. For the common good, WAF in this article = Web Application Firewall