Hacker Grabs 150k Adobe User Accounts Via SQL Injection

CowboyRobot writes "Adobe today confirmed that one of its databases has been breached by a hacker and that it had temporarily taken offline the affected Connectusers.com website. The hacker, who also goes by Adam Hima, told Dark Reading that the server he attacked was the Connectusers.com Web server, and that he exploited a SQL injection flaw to execute the attack. 'It was an SQL Injection vulnerability, somehow I was able to dump the database in less requests than normal people do,' he says. Users passwords for the Adobe Connectusers site were stored and hashed with MD5, he says, which made them 'easy to crack' with freely available tools. And Adobe wasn't using WAFs on the servers, he notes. Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post and found that the list appears to be valid and that the hacked database was relatively old."

Adobe has bad security practices?

[travbrad]

A shocking revelation

Re:Adobe has bad security practices?

[fuzzyfuzzyfungus]

This is big news! Adobe has long been a dominant vendor in the market for atrocious desktop security; but here they are demonstrating their capacity for 'big data' and 'cloud-centric' server insecurity solutions. Even better, since the breach compromised the security of numerous individuals at third party companies, I'd say that this is a strong play for the lucrative 'managed insecurity' market enabled by the trend toward IT outsourcing...

I, for one, am downright bullish about Adobe's prospects for subtracting value from the software ecosystem in new and exciting markets!

Unforgivable

[geekoid]

SQL injection? what is this, 1993?

.

Re:Unforgivable

[Nyder]

SQL injection? what is this, 1993?

.

About right, I think they took security out of the budget in 1992.

Re:Unforgivable

[a_hanso]

Actually, a bank analogy is more like you walking up to the bank manager and saying "Hi, I have a complaint about a $100 discrepancy in my WRITE DOWN YOUR BANK VAULT COMBINATION." and the manager hypnotically doing just that.

Something tells me you will be disappointed...

[denzacar]

http://www.securityweek.com/authors/tal-beery

Don't really need daily hacker updates anymore

[Andy+Prough]

A simple once-per-year post reminding us that ALL of our private data has been sucked out of insecure online databases and is being sold on the Russian (or Indonesian or Egyptian or Chinese or Pennsylvanian) black-market should suffice.

Re:Poor security standards

[ark1]

A Web Application Firewall will inspect layer 7 traffic and can provide some protection against layer 7 attacks such as SQL injections. They act more like Intrusion Detection/Prevention Systems rather than traditional network firewalls.

Re:Poor security standards

[El_Oscuro]

That is cool. It is nice that you can configure firewalls to protect against layer 7 attacks. It is a great part of defence in depth. If I set up the firewalls I would do this. Of course I don't, and the bureaucracy makes the Vogons look nimble. They would feed their own grandmother to the Ravenous Bugblater Beast of Traal rather than change the rules. And of course, some other "developer" with some clout would get an exception so his craptastic application still works.

I love the idea of a Firewall protecting my app, but would rather write the 2 lines of code to ensure my app doesn't get pwned if it doesn't for whatever reason.

Re:What's a WAF?

[Zaiff+Urgulbunger]

Yeah, I blame the editors too -- quite frankly, standards here have slipped!

Anyway, thanks for all the replies. For the common good, WAF in this article = Web Application Firewall