A huge dump of the offending customer database was recently published online, weighing in at 4GB compressed, or just a shade under 10GB uncompressed, listing not just 38,000,000 breached records, but 150,000,000 of them.
As breaches go, you may very well see this one in the book of Guinness World Records next year, which would make it astonishing enough on its own.
The stolen file contained both active and inactive accounts for "numerous Adobe products" (examples include Acrobat, Photoshop, ColdFusion, CreativeCloud).
The file holds Adobe IDs, email addresses, (encrypted) passwords, credit/debit card numbers, expiration dates, other PII (Personally Identifiable Information) and more.
At this time, it is believed that the file's passwords have not been cracked.
Yet this belief veils little more than a race to the encryption key, as this week we learned that Adobe's passwords can be unlocked with a single key.
The use of a symmetric cipher here, assuming we're right, is an astonishing blunder, not least because it is both unnecessary and dangerous.
Anyone who computes, guesses or acquires the decryption key immediately gets access to all the passwords in the database.
We can only imagine how much money that key is worth now.
Is it safe to use Lucb1e's search?
I temporarily store your IP address, the search query and the search result.
This data is stored for 48 hours. After that, all your data is permanently erased.
If you tick the 'email results' box, you receive 1 email. Storing your IP is for security reasons. If someone submits ten thousand searches at once, it automatically blocks that. Who can access this data? Me and only me. And the Dutch government if they do a formal request (within 48 hours, after that it's permanently gone like I said before), but I've never received such a request, nor do I expect to. Also be sure to use https if you're concerned about that kind of thing.
Lucb1e had an interesting time creating his search tool, and received helpful feedback from his co-Redditors on making it faster and more efficient.
The day before yesterday I launched a service where you can check whether you were included in the Adobe accounts hack. I had the file, it could be grepped for stuff in about 30 seconds, and I thought "hey, others might want to do this too". And so I started coding. My parents would be home soon and we'd go out for dinner, but I wanted it done. (...)
(...) I started mashing another script together which connected to the server, got some search queries, ran the queries in batches on my laptop's local database, and posted the results back to the server. This was epicly fast. Then I multithreaded it. This was super epicly fast.
He concludes with three excellent lessons, the last of which includes:
Test and think before putting something out there.
Don't rush too much.
Let's hope Adobe reads that bit, and takes it to heart.