In early October 2013, Adobe reported a security incident on their servers. The original blog posts are no longer available (only using a web archive), but independent news sources paint a very clear picture. According to security journalist Brian Krebs (http://mng.bz/o2DZ), attackers were able to access the source code of a few Adobe products. Also, personal customer information was stolen. As the Verge reported (http://mng.bz/nND5), the number of affected accounts was initially estimated at around 3 million, but the actual number turned out to probably be over 150 million. To be fair, it is unclear how many of those accounts were inactive or test accounts. The numbers are still staggering, though.
Among the data extracted were, among other things, passwords. Luckily, they were not stored in plaintext. However, it was still possible to access many of them due to the way the application worked. Let’s look at this case study to learn what went wrong (and to make it better).