I write that passwords have been leaked since that is how it is reported. Really the passwords haven't been leaked, of even a password hash. What has been leaked is most likely 3DES encrypted passwords. But to simplify things I'm calling the encrypted passwords hashes, since that's usually what you are dealing with then analyzing a password leak like this.
The top 10 .se domains are:
Interesting .se domains include:
I considered not listing these, but there really isn't any damage that can be done with this information. I just really hope that these organizations have a process in place to deal with events like this. A process such as the one used by Facebook. Or even diapers.com.
Top 10 passwords with a .se domain.
|Users||Hash||Hash in hex||Characters|
As you can see above, a majority of the top passwords consists of 1-7 characters. The list is actually incorrect since the most common .se password was actually no password at all. 57 172 .se accounts didn't have a password in the file. Good for them. That means that there are only 348 806 .se accounts who had their passwords leaked. That's about 50 000 less then what has been reported in Swedish media (their analyst might not have noticed that some entries are lacking a password), but still quite a lot.
Number of password hints for the top 10 .se passwords
Though not having a password hint and having a unique password sadly doesn't put you in the clear from this leak. Thanks to Adobe's use of 3DES ECB mode, we can in certain cases (if the password length is a multiple of 8) know the exact length of the password. Of the 149 554 .se users with unique passwords and no hint, we can tell the exact length of 41 125 of them. That means that 108 429 of the .se passwords are actually pretty safe. We can still tell the general length of the passwords (e.g. 1-7 or 9-15 characters long), but not much more.
It's interesting to see how many people use a password of exactly 8 characters, and how dramatically the number of users drops after the 9-15 character length. 99.9 percent of all passwords are of length 1-15.
In summary, 405 978 .se accounts were leaked. But 57 172 of those account didn't have a password. That leaves vulnerable 348 806 accounts. Of those accounts 108 429 of them have a unique password, no password hint, and we can't tell the exact length of the password. That leaves 243 377 .se accounts that are vulnerable. It's smaller then 400 000, but still way to many.
This is all assuming that the key Adobe used to encrypt the passwords haven't been stolen or discovered. If that key leaks, all passwords can be decrypted, and everyone's exact password will be revealed in clear text.
Comments and corrections are of course welcome in the comment section below, or any other way that you can get in contact with me.