Security Historical

Adobe Breach: 153 Million User Records Exposed With Passwords in Trivial Encryption

Brian Krebs
Adobe Breach: 153 Million User Records Exposed With Passwords in Trivial Encryption
Image: Wikimedia Commons

What happened

Attackers breached Adobe in October 2013 and stole source code for multiple products along with 153 million user records. Passwords were protected with 3DES encryption in ECB mode with a single key — a fundamentally broken approach that allowed mass cracking and revealed shared passwords across accounts.[1]

What went wrong

Adobe used 3DES in ECB mode — a symmetric encryption scheme rather than a one-way hash — meaning all users with the same password had identical encrypted values. This made cracking trivial via frequency analysis, essentially defeating the protection entirely.[1]

Lesson learned

Passwords must be hashed with bcrypt, scrypt, or Argon2, never encrypted. ECB mode leaks patterns in plaintext regardless of the underlying cipher. Source code theft in the same breach multiplied the damage by enabling targeted exploit development.

Est. value burned ~$1M $1M state AG settlement
breachencryptionpasswordsdescreative-cloud

Sources

  1. [1]
    Brian Krebs Wikipedia
    Adobe Breach: 153 Million User Records Exposed With Passwords in Trivial Encryption Wayback Machine snapshot

External links can go dark — pages move, paywalls appear, domains expire. Every source above includes a Wayback Machine snapshot link as a fallback. All citations are best-effort research; if a source contradicts our summary, the primary source takes precedence.

More in Security