The epic blunder that led to the publication of more than 130 million encrypted Adobe passwords is generating security alerts at some unlikely websites now that researchers have figured out how to decrypt significant portions of the massive trove.

Members of Facebook's security team have already combed through the cache to identify users who used the same login credentials on both the Adobe and Facebook sites, and in some cases they have mandated password resets based on that analysis, KrebsonSecurity's Brian Krebs reported . A spokesman told him it was a routine measure Facebook employees take to safeguard user accounts following big breaches.

Indeed, the practice makes sense. Adobe's use of reversible cryptography using a semi-transparent encryption mode has allowed researchers to decipher a large number of passcodes. Last week, password security expert Jeremi Gosney published a list of the top 100 Adobe passwords, and as usual, it was topped by dogs such as "123456", "123456789", and "password". If the credentials are this easy for whitehats to come by, there's nothing stopping blackhats from doing even better since they have so much more to gain. Armed with a user e-mail and corresponding Adobe password, they're free to try the combination to hijack accounts on other sites and then use them in spam and phishing campaigns, along with other fraudulent schemes.

Enter Diapers.com

Interestingly, Facebook doesn't appear to be the only site that's paying close attention to Adobe leak. Consider the following e-mail some subscribers of Diapers.com recently received:

At Diapers.com we take your security and privacy very seriously. As part of our routine monitoring, we discovered a list of e-mail address and password sets posted online. While the list was not Diapers.com-related, we know that many customers reuse their passwords on several websites. We believe your email address and password set was on that list. So we have taken the precaution of resetting yourDiapers.com password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your Diapers account.

As Ars explained last week, Adobe's storage of the 130 million passcodes was almost a textbook example how not to manage highly sensitive login credentials. It used a single key to encrypt all passwords using the Triple DES encryption algorithm with the ECB mode. The meant that every identical plaintext password generates an identical encrypted string. ECB mode further allowed outsiders to examine the ciphertext to glean important clues about the plaintext, including its length and the type of characters it might contain. Given so many affected Adobe accounts, it hasn't been hard for outsiders to use their own passwords to help decipher the list. That has led researchers to deduce passwords such as "adobe1999" even though the underlying cryptographic key still hasn't been broken.

"Because of ECB mode, the more known plaintexts we have for different blocks, the more pieces of the puzzle we have," Gosney wrote in an e-mail to Ars. "So yes, it's entirely possible to know with 100-percent certainty that the dude used 'adobe1999' as his password, without actually decrypting it."

To make matters worse, the file contained a list of hints that in many cases repeat the password outright, or at least provide additional clues to fill the puzzle. Security researcher Josh Dustin has more details here. Given the number of real-world passwords at stake and the ease of decrypting them, the Adobe breach is shaping up as one of the seminal events in the unfolding history of cracking. No wonder it's attracting attention from Facebook and other third-party sites.