Adobe breach reveals really terrible passwords are still popular – 2 million used “123456”

Adobe’s security breach laid bare 38 million passwords to the world – and a security researcher claims that 1.9 million of these are the simple “123456”.

Half a million craftier customers chose “123456789”, according to a report by The Register, quoting researcher Jeremi Gosni, a self-styled “password security expert” who found the passwords in a dump online.

The entire top 20 is filled with “simplistic” passwords which are a “cause for concern,” according to PC Retail’s report.

The passwords are to be found on several online dumps, Gosni said. Adobe initially said that three million accounts were affected, but has since raised that figure to 38 million, with another 150 million at risk.

Password                      Number of users

  1. 123456              1,911,938
  2. 123456789       446,162
  3. password          345,834
  4. adobe123          211,659
  5. 12345678          201,580
  6. qwerty               130,832
  7. 1234567             124,253
  8. 111111                  113,884
  9.  photoshop        83,411
  10.  123123              82,694


The Register called the list of passwords “pathetic”, saying that it made their staff, “wonder if criminals should have bothered breaking in to steal them: with 1.9 million users relying on “123456” there’s a better than one in one hundred chance of unlocking an Adobe account with blind luck.”

ESET Senior Research Fellow David Harley says that in cases such as these, even users with “strong” passwords are at risk – and should think carefully about other sites where they may have used the same password:“Where your login credentials have been revealed, it’s obviously a good idea to change your password, and in fact the compromised site may force you to do so. However, an attacker is likely to assume that you use the same credentials on other sites, and he may try them on other sites of interest to him. (Of course, they may not be sites of interest to you.) So it’s a good idea (if an irksome task) to change your password on other sites that do use the same credentials.”

A We Live Security guide to what to do in the event of a breach can be found here.

ESET Researcher Stephen Cobb described the breach as “unprecedented” at the time, due to the fact that attackers also appeared to have accessed source code for Adobe’s Acrobat software.

 Cobb says, “Access to the source code could be a major asset for cybercriminals looking to target computing platforms such as Windows or mobile operating systems such as Android.”

Author , We Live Security

  • Marilyn

    I would like to point out that it wasn’t the stupid passwords of Adobe users who got hacked. It was Adobe. Were they using 123456?

    • It’s perfectly true that it doesn’t matter how ‘good’ your password is, if the service provider doesn’t protect your credentials well enough. Nonetheless, it still makes sense to use sound passwords to mitigate guessing attacks, and it also makes sense not to use the same password across different sites.

    • It’s perfectly true that it doesn’t matter how good your password is if the service provider doesn’t protect it well enough. But it still makes sense to use sound passwords to make it harder for attackers to guess, and to avoid using the same credentials on several sites.

Follow us

Copyright © 2017 ESET, All Rights Reserved.