152 Million Secrets: The Adobe Breach
The Adobe Breach: 152 Million Secrets
On the morning of October 3, 2013, Adobe Systems — the company behind the software installed on virtually every computer on earth — published a brief, clinical blog post under the title “Important Customer Security Announcement.”
The headline figures were damaging enough: approximately 2.9 million customer accounts had been compromised, including encrypted credit card numbers and encrypted passwords. Adobe was notifying affected customers and asking them to change their passwords.
It was, by the standards of 2013, a significant breach. Security reporters wrote it up. Adobe’s stock dipped. The company apologized.
Then the researchers started digging.
Within days, the actual scope of the breach began to emerge from dark web forums and security analyst reverse-engineering of exfiltrated data. The real number wasn’t 2.9 million. It wasn’t even 10 million.
It was 152 million accounts.
And buried inside the exfiltrated data was something far more dangerous than customer credentials: the complete source code for Adobe Acrobat, Adobe Reader, and ColdFusion — software installed on hundreds of millions of machines worldwide. Whoever had broken into Adobe’s systems had walked out with the blueprints.
Threat Actor Profile: Unknown (Assessed Eastern European)
Designation: Unknown; identified in connection with simultaneous breaches at LexisNexis, Dun & Bradstreet, and Kroll
Attribution: Assessed by researchers at KrebsOnSecurity as the same actor responsible for a series of simultaneous large-scale data thefts; Eastern European cybercriminal origin inferred from tooling and infrastructure patterns
Origin: Unknown; no formal government attribution made
Primary Mission: Large-scale credential and financial data theft for resale on dark web markets; potential secondary mission of source code acquisition for zero-day development or sale
Known Tradecraft: Enterprise network intrusion, large-scale credential dumping, data staging and exfiltration, simultaneous multi-organization targeting
Notorious Operations:
- LexisNexis (2013): The legal research giant was compromised in the same campaign, with access to sensitive personal information on millions of Americans.
- Dun & Bradstreet (2013): The business credit reporting company was simultaneously breached, with investigators linking the intrusion to the same threat actor.
- Kroll (2013): The corporate investigations and security firm — whose business is investigating breaches — was itself breached in the same campaign, in a darkly ironic illustration of the supply chain problem.
- Adobe Systems (2013): The largest and most consequential of the simultaneous breaches, yielding 152 million credentials and the source code for Acrobat, Reader, and ColdFusion.
The Intrusion: How Adobe Fell
The precise technical mechanism of Adobe’s compromise was never fully disclosed publicly. What is known, assembled from breach notification filings, security researcher analysis of the exfiltrated data, and contemporaneous reporting by Brian Krebs and Alex Holden of Hold Security, is the following:
The attackers gained access to Adobe’s internal network and maintained a persistent presence for an extended period — assessed at several months — before discovery. During that time, they accessed:
Customer databases containing account credentials, encrypted payment card numbers, and personal information across Adobe’s product families — Adobe Creative Cloud, Acrobat.com, and associated Adobe ID accounts.
Source code repositories for multiple Adobe products, including the entirety of Acrobat Reader/Professional, Adobe ColdFusion (the web application platform), and portions of other products. The source code was large enough that security researcher Krebs, who reviewed a sample posted by the attackers to a file-sharing site, estimated the repository exceeded 40 gigabytes compressed.
The breach was discovered not by Adobe, but by an outside researcher. Brian Krebs and Alex Holden of Hold Security discovered the stolen data on a server operated by the same cybercriminals responsible for the LexisNexis and Dun & Bradstreet breaches — the three datasets sitting together on a single server, indicating a coordinated operation against multiple targets. Krebs contacted Adobe, which confirmed the breach in the following days.
The Password Catastrophe: When Encryption Masquerades as Security
The credential breach was severe in scale. The password security was a separate, self-inflicted catastrophe.
Adobe encrypted its user passwords using 3DES (Triple DES) in ECB mode — and this choice turned an already serious breach into a masterclass in what not to do with cryptography.
The specific failures were compounding:
Wrong algorithm: 3DES is a symmetric encryption algorithm, not a password hashing function. The distinction matters enormously. Encryption is reversible — if you have the key, you can decrypt every password in the database simultaneously. Password hashing functions like bcrypt, scrypt, or PBKDF2 are deliberately one-way and computationally expensive: even with the original data, recovering the plaintext requires per-password computation time, rendering mass cracking expensive.
Wrong mode: ECB (Electronic Codebook) mode encrypts each block of data independently, without using the output of previous blocks as input to subsequent ones. This produces a fatal property: identical inputs always produce identical outputs. Two users with the same password will have identical encrypted values in the database. An attacker with the ciphertext doesn’t need to crack individual passwords — they can deduce passwords by observing that millions of users share the same encrypted value, cross-referencing that value against known common passwords, and instantly revealing the plaintext.
No per-user salt: Even had Adobe used a proper hashing algorithm, the absence of per-user random salts would have made precomputed table attacks feasible. Combined with ECB mode’s frequency analysis vulnerability, the password database was functionally readable.
Security researchers, receiving the dumped database, constructed frequency tables almost immediately. The most common encrypted value appeared millions of times. Cross-referencing against known passwords from prior breaches: 123456. The second most common: 123456789. The third: password.
In a breach of 152 million accounts, the encryption that was supposed to protect passwords had provided roughly the security of no encryption at all.
The Source Code Problem: Blueprints for Zero-Days
The credential theft, while damaging, was at least containable — Adobe could force password resets and notify affected users. The source code theft presented a problem with no clean resolution.
Adobe Acrobat Reader had been installed on virtually every Windows and Mac computer manufactured in the previous decade. In enterprise environments, it was ubiquitous. Governments, law firms, hospitals, financial institutions — every organization that received PDF documents had Reader deployed across its workstations.
The source code for Reader and Acrobat, now in the hands of unknown criminal actors, represented something that security researchers describe as a roadmap to zero-days. Vulnerabilities in software are far easier to find when you can read the source code — you can grep for dangerous function calls, trace memory management, analyze parsing logic, and identify attack surfaces that would take months or years to discover through black-box fuzzing.
Adobe Reader had a long history of exploited vulnerabilities used in targeted attacks by nation-state actors. The Elderwood Group had used a Reader zero-day in spear phishing campaigns against defense contractors. APT groups across multiple countries had weaponized Reader flaws for initial access.
The question of whether the stolen source code was subsequently used to develop new Reader zero-days — or sold to parties who did — has never been definitively answered publicly. Adobe moved rapidly to accelerate its Secure Product Lifecycle review of the affected products and issued multiple security updates in the months following the breach. ColdFusion received emergency patches for a critical remote code execution vulnerability within weeks of the breach disclosure.
Whether the patches preceded or followed exploitation of source-code-derived vulnerabilities is unknown.
The Crossword Puzzle That Revealed Passwords
Among the most memorable artifacts of the breach analysis was a demonstration by security researcher Jeremi Gosney that effectively turned the 152 million encrypted passwords into a publicly solvable puzzle.
Because Adobe had used ECB mode without salting, the encrypted passwords behaved exactly like a substitution cipher — the same plaintext always produced the same ciphertext. Gosney and other researchers created what became known in the community as the Adobe Password Crossword — a grid in which each encrypted password value corresponded to a cell, and the password hints provided by Adobe users (Adobe had stored plaintext “password hints” alongside the encrypted values) could be used as clues.
Users who had provided hints like “same as always,” “my cat’s name,” and “first car” alongside their encrypted passwords had, in aggregate, effectively provided enough context that researchers could solve the puzzle using frequency analysis and contextual deduction.
The result was that millions of passwords from the breach were effectively known, without ever breaking the encryption directly.
Fallout and Legacy
Adobe settled regulatory investigations related to the breach for $1.1 million — a payment that cybersecurity attorneys widely described as tokenistic relative to the breach’s actual scope.
The payment came almost two years after the breach, following investigations by a coalition of state attorneys general. The settlement required Adobe to implement improved security practices and submit to third-party audits. No criminal charges related to the actual intrusion were ever publicly filed; the attackers were never identified or prosecuted.
For password security, the Adobe breach became a primary teaching example in security curricula worldwide. The failure modes it illustrated — symmetric encryption instead of one-way hashing, ECB mode, no salting — were so clearly documented and so visually demonstrable through the crossword analysis that the breach effectively ended debate about whether organizations could “get away with” inadequate password protection. Adobe had demonstrated, at scale and in public, that bad cryptographic choices were forensically indistinguishable from no cryptographic protection at all.
For source code security, the breach prompted a reexamination of how software companies stored their intellectual property internally. The premise that source code repositories were “internal” assets protected by perimeter security was exposed: any organization large enough to be a significant target was only as secure as its internal network segmentation, and internal network segmentation was demonstrably insufficient against motivated attackers.
For the 152 million affected users, the breach meant years of vigilance against credential-stuffing attacks. Adobe passwords, combined with the associated email addresses and password hints, became valuable assets in the underground market for years — fueling automated attacks against banking, email, and social media accounts across the web.
The document you opened this morning was rendered by Adobe software. The software that rendered it was once exposed to hands that may have read its source, line by line, looking for the next door.
Attack Chain: Adobe Systems Breach 2013
graph TD
A["Unknown Threat Actor\n(Assessed Eastern European)"] --> B["Simultaneous Campaign\nAdobe + LexisNexis +\nDun & Bradstreet + Kroll"]
B --> C["Initial Access\nAdobe Internal Network\n(Method undisclosed)"]
C --> D["Extended Dwell\nEstimated Months Inside\nPre-Discovery"]
D --> E["Source Code Repository Access"]
E --> E1["Adobe Acrobat / Reader\nSource Code — Full Repository"]
E --> E2["Adobe ColdFusion\nSource Code"]
E --> E3["Additional Products\nPartial Repositories"]
D --> F["Customer Database Access\n152 Million Adobe ID Accounts"]
F --> F1["Usernames + Email Addresses"]
F --> F2["Encrypted Passwords\n3DES-ECB — No Salt\n(Functionally Plaintext)"]
F --> F3["Encrypted Credit Card Numbers\n~2.9M Payment Cards"]
F --> F4["Password Hints\n(Stored in Cleartext)"]
E1 --> G["🔴 Source Code +\nDecrypted Passwords\nStaged for Exfiltration"]
F --> G
G --> H["Data Exfiltrated\nto Attacker-Controlled Server\nShared Infrastructure Across\nSimultaneous Breaches"]
H --> I["Brian Krebs / Hold Security\nDiscover Data on Criminal Server\nContact Adobe — October 2013"]
I --> J["Adobe Discloses Breach\nOctober 3, 2013\n'2.9M Accounts Affected'"]
J --> K["Researchers Analyze Dump\nFrequency Analysis of ECB Ciphertext\n'Adobe Password Crossword'"]
K --> L["Real Scope Revealed:\n152 Million Accounts\n3DES-ECB Passwords = Cracked En Masse"]
L --> M["🔑 Most Common Password:\n'123456'\nDeduced Without Decryption"]
H --> N["Source Code on Criminal Markets\nPotential Zero-Day Development\nColdFusion RCE Discovered → Patched"]
L --> O["Adobe Forced Password Reset\nAll 152M Affected Accounts"]
N --> O
O --> P["$1.1M Regulatory Settlement\nTwo Years Post-Breach\nNo Criminal Prosecution"]
P --> Q["Industry Impact:\n3DES-ECB Banned from\nPassword Storage — Textbook Case"]