In October, Adobe announced a security breach in which customer information from tens of millions of accounts had been compromised--over 2000 accounts at UNL. These accounts were generated from product registrations like PhotoShop and Acrobat as well as cloud-based accounts.
What makes this breach a valuable object lesson is that it led to other individual online accounts being compromised. While the customer data stolen from Adobe included passwords that were encrypted, the email addresses and password "hints" were not. Often the hints contained the password itself or would refer to another online account, giving the hackers more targets to plunder.
If the same password used for Adobe System accounts was used for work, school, banking, or other accounts, those accounts may be at risk. Repercussions could range from simple to severe, such as account hijacks to send spam, theft of bank deposits, or hackers gaining a foothold in a place of employment to conduct widespread damaging attacks.
RECOMMENDATIONS
ITS recommends that you take the following actions:
1. CHANGE PASSWORDS IMMEDIATELY. Persons who used the same password for Adobe and other accounts should immediately change their passwords at the other locations and monitor for unusual activity.
2. ADOBE PASSWORDS SHOULD BE RESET only by manually visiting the Adobe website, and not by clicking on links arriving via email, as there is now a concern that there will be a rise in phishing related to this event.
3. NEVER REUSE YOUR INSTITUTIONAL PASSWORD for external web sites or Internet services. If you reuse a password at multiple locations when the password is compromised at one site the miscreants then can gain access to all sites where you've used that password. The best policy is to always use different passwords for different accounts.
4. CREATE STRONG PASSWORDS OR PASSPHRASES. The Wikipedia Guidelines for Strong Passwords [3] is a good starting point.
5. CONSIDER THE USE OF A PASSWORD "WALLET" such as KeePass and LastPass. These tools make it very easy to have a unique password for every web site or service, and to have strong passwords.
6. BE ON THE LOOKOUT FOR PHISHING. Miscreants will be using the Adobe breach as a pretext for phishing.
7. USE INFORMATION THAT IS NOT EASILY GUESSED. When providing password hints use information that is not easily guessed or discovered. For example, if your hint is "dog's name" and you mention your dog on social networking sites miscreants can discover that information.
REFERENCES
An excellent layman's overview can be found in the NY Times: http://nyti.ms/1gHyz8b
[1] http://helpx.adobe.com/x-productkb/policy-pricing/ecc.html
[2] http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/
[3] http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords
If you have any questions, please contact the UNL ITS Computer Help Center at 402-472-3970 or the ITS Security Team at 402-472-5700.