BREAKING NEWS: Cyber Attack on Adobe Compromised 2.9 Million Customers

Current Events October 3rd 2013 2:54 PM 19 Comments

Creative-Cloud

Adobe just reported that the company has been the target of a major cyber attack. Their security team discovered “sophisticated attacks on their network, involving the illegal access of customer information as well as source code for numerous Adobe products.”

The security team believed that the attackers got hold of the Adobe customer IDs, encrypted passwords, encrypted credit card/debit card numbers, and expiration dates of around 2.9 million Adobe customers. They also believed that the attackers did not remove decrypted credit or debit card numbers.

As a precaution, Adobe are taking the following steps:

  • As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. We also recommend that you change your passwords on any website where you may have used the same user ID and password.
  • We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.
  • We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.
    We have contacted federal law enforcement and are assisting in their investigation.


It remains to be seen what are the long-lasting consequences that can result from this incident, but as a current Creative Cloud customer, I am worried about this attack. It does remind me that in today’s world, a lot of our sensitive information are floating online and even companies as big as Adobe are not immune to cyber attacks. It is worth to note that Adobe does not specify that only Creative Cloud customers are affected, so even those who are still using CS6 or older may have their sensitive information compromised.

You can read the rest of Adobe’s Press Release on Adobe’s Blog.

So what are your thoughts on this situation?

Advertisement

About

Joe is a rising fashion and commercial photographer based in Los Angeles, CA. He blends creativity and edge with a strong style of lighting and emotion in his photographs. Be sure to check out his work at www.fotosiamo.com and connect with him on Google Plus and on Facebook

19 Comments

  1. emily

    if the hackers have all of my information what am i supposed to do….?? open a new debit card?

    Reply 2
    • C

      After you get a new debit card, stop using it and switch to a credit card, which has more fraud protection.

      1
    • dave c

      Personal accounts have lots of legal protections, if the card you used was attached to a business account, call your bank immediately.

      0
  2. Hal

    One more reason I don’t like Adobe’s new subscription only business model. In addition to the issues involved with an unreliable internet connection when I want to edit some photos, that is. It’s one thing to make a one time purchase from a vendor, a subscription program requiring monthly installments means all that financial data is available each and every month…

    Reply 12
    • Joe

      Hal, You don’t need an internet connection to edit photos. You should read more about the product. You need internet access once a month for verification.

      8
    • David Liang

      The model works pretty well for netflix, itunes and paypal etc. which all have personal and financial information. The same risks apply to the above mentioned businesses. Further you don’t need an internet connection to edit the photos it works just like any client side application. You’d sound less foolish having actually tried the software and comparing the business model you’re criticizing.

      4
  3. tony pardi

    this happened to sony and they made good by giving out free games, i think Adobe needs to make good and give out free months of CC or at the very least lower the cost of the subscription

    Reply 4
  4. Stan Rogers

    I applaud Adobe for taking this seriously and making it sound scary. But before anybody panics:

    It is highly unlikely that Adobe ever had your encrypted password or encrypted credit/debit card number stored anywhere at all. Yes, they lost control of the information they use to identify you and to bill you, but saying that they lost “encrypted” information makes it sound like it’s just a matter of decoding the stolen data. It isn’t.

    What Adobe had was a hash of your password (likely salted, and generated by a key derivation function rather than a simple cryptographic hash function). Hashes cannot be decoded/decrypted. The only way to check your password is to see if it results in the same mess again when it’s run through the same hashing function using the same salt. The only way the bad guys can find out your password is by trying a lot of passwords to see if they work. That takes time (and rather a lot of time if they were using an industry-standard KDF). It may take a fraction of a second to check your password to see if it’s right, but it takes a very, very long time to check millions or billions of guesses, even with a lot of equipment available. If you take Adobe’s advice and change your password elsewhere if it’s the same (quickly, but no need to panic) then there shouldn’t be any trouble — unless you were using one of the top few hundred common passwords. If you were, then stop doing that.

    They would not be storing or using your CC info directly either. What they would have had is the last four digits of your card number, the expiration date, and an electronically-signed billing token from your card payment processor/financial institution that they obtained “blind”. (No web site wants to have the liability that comes with storing CC numbers.) That *should* prevent charges made by anyone *but* Adobe, but they’re being precautious dealing with the situation and with the banks/payment processors, and telling you that you should be aware of the dangers as well. And it seems they have checked and are checking their logging system to make sure that none of your CC info “leaked” into storage anywhere. Again, take it seriously, but don’t panic.

    I can’t say I’m surprised to hear about this; moving to a subscription-only model raised a lot of ire and also turned Adobe.com into a possible lottery prize for hackers if they did it wrong. It will take some time before a post mortem is issued, but their reaction so far (including the fact that they were able to detect the attacks in a timely fashion) leads me to believe that they were doing most things in the right way (technically, at least; I still don’t like the subscription-only model). The most disturbing part for me was that the attackers were able to tunnel in to their source code repository; with the number of pirated versions of CS out there (and the desirability thereof) I’d expect to see a lot of computers compromised by future “rips” built from modified sources.

    Reply 10
    • picman1

      Good try Stan but just like Adobe you feed the public with untruths and nonsense. Adobe cloud customers information has been compromised and it serves Adobe and their customers right for establishing and feeding this greed machine and supporting this nonsense. Adobe is going down… this is the first step.

      0
  5. Sam L

    Does this apply to customers who purchased Lightroom in the past couple of years as well?

    Reply 0
    • Joshua Evan

      Until Adobe release more information there’s no way of knowing. However, like they say in their statement, they will contact customers who they believe this has affected.

      As a precautionary measure it might be a good idea to change your password.

      0
  6. Rudy

    It’s the internet, why is it surprising to any of you?

    Reply 2
  7. Daluz

    The question is: Can the costumers still run the softs? The ADOBE SUPPORT is a complete joke (get at theirs facebook page and check), I think they will have to come back to SELL their software, cos they dont have the knowledge to manage on line subscriptions.

    Reply 0
  8. picman1

    That’s what you get for supporting the greed machine that is Adobe. Serves them right. Just a matter
    of time before versions of the software make it to CD and flash drives everywhere. Now this greedy company has compromised the credit card and bank info of thousands of foolishly loyal customers. This cloud crap should and is a bust backfiring on Adobe…. love it!

    Reply 0
  9. Jimbo

    This is a surprise? How many security holes were and still are in flash player and Adobe Reader.

    Reply 2
  10. Chris Pettit

    “It does remind me that in today’s world, a lot of our sensitive information are floating online and even companies as big as Adobe are not immune to cyber attacks. ”

    I would go further Joe, the bigger the company, the bigger the target, the MORE likely they are to get hacked. Add in to that a lot of bad will because of mandatory CC and the worst tech support on the planet, Adobe was a big target. It seems to me that part of the problem is specifically that these companies are getting way too big, they own too much of the applications and substance of what we all need to work in a digital age, and as a result when they get hacked a great deal of damage is done all at once.

    Reply 1
  11. mausalista

    In reply to Sam L’s question and anybody wondering whether it affects NON-Cloud customers as well: Yes, it does. I got Adobe’s notification this morning, and I’ve only ever done a couple of one-off purchases of Lightroom.

    Reply 0
  12. Sue

    Very much female and once blond, I have to wonder if I should be truly worried. I don’t have an Adobe password and never had had one so can’t reset it. I only use Adobe reader for basic pdf files and I don’t have many of them. It’s not like I’m sticking my head in the sand but I would have to create an account just to change it. Yes I received an e-mail this morning asking me to reset my password….. BUT I DONT HAVE ONE!!! Any advice from people who are more in the know or should I just use my instincts and ignore the message?

    Reply 1

Leave a reply

Advertisement