At the end of June Adidas issued a press release stating that they were informed that a third party had acquired some data on their customers from their systems. The press release was very sparse with the details as it usually is. But they did mention that during their investigation they found that “limited [including] contact information, usernames and encrypted passwords” may have been obtained by the third party.
Breaches like this happen all the time and if you are a customer of Adidas then you should seriously consider changing your password. While the press release says that the passwords were encrypted it’s always good practice to change your password after any breach. Just because a website says that the passwords they store are encrypted doesn’t mean that you are 100% protected from hackers.
Hackers have the ability to brute force or guess every possible combination of a password. Once they do that they run these passwords through the same encryption that the website uses and compares the results. If they find a match then they have been able to successfully get your password.
This is the perfect example of why everyone should be using unique passwords for every website. Hackers will often time exploit a persons password reuse to get into other accounts that user may have. Let’s assume that you had an account with Adidas and that the password for your Adidas account and Facebook account were the same. If an attacker were able to brute force your encrypted password from the Adidas dump they would then have your Facebook password.
However, if you used a password manager and all the passwords for your websites were different the attacker would only have gained access to your Adidas account. They would not be able to use that password on other sites and then get into more sensitive parts of your life. This is where unique passwords really show their value.
If you have an Adidas account I would suggest changing your password immediately. After Adidas completes their investigation they may find that there was no issue, but I always say “better safe than sorry”. If you change your password now you know that any password that was leaked will no longer be valid and you can rest assured that the attackers out there will not be able to get into your account using that old password.
If you are not using a password manager, why not? Password managers help you to create unique passwords as well as strong and secure passwords which are harder to brute force. Finally, using a password manager makes changing a password on an individual site very easy, you just let the password manager generate a new password and you never have to remember it.
Kyle Slosek is a security practitioner with 10 years of experience in enterprise Information Technology environments. Through out his career Kyle has performed everything from certification and accreditation to penetration testing and forensics. He holds a Bachelor of Science in Information Technology, a Master of Science in Information Assurance, as well as several industry certifications.