8 Things We Know So Far About Adobe’s Customer-Data Breach

Here's a quick explainer, along with Adobe's recommendations.

  • Share
  • Read Later

Hello again friends, welcome back to the show that never ends: another massive corporate data raid, millions more user accounts and login credentials and payment details potentially compromised, and top secret source code on the loose.

Welcome to the club, Adobe! You probably know Bank of America, Heartland Payment Systems, Epsilon, Sony, Valve, the U.S. government, the Canadian government, PayPal, the Iranian government, Foxconn, Farmers Insurance, MasterCard and all the rest whose names I haven’t memorized yet. Just have a seat on the floor, because we’re out of chairs.

We’re early days into this latest hacker debacle — Adobe just confirmed the breach on Wednesday — but if you want the CliffsNotes version of what happened and where things stand, here’s the concise explainer:

Hackers broke into Adobe Systems, Inc. and accessed source code and user data.

Brian Krebs of cybersecurity blog Krebs on Security, working with security firm Hold Security, LLC, says it learned of the source code leak last week, when Krebs and Hold…

…discovered a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll. The hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat.

If these guys knew last week, why didn’t they let us know then?

Presumably to give Adobe a better shot at nabbing the ne’er-do-wells, though it sounds like Adobe was aware of the problem since mid-September. Krebs says he sent Adobe screens of the pilfered source code last week, and that Adobe responded to him on October 3 by confirming it had been investigating a possible network breach since September 17. When Krebs spoke with Adobe about the breach specifics, he says Adobe told him it believes the source code was accessed back in mid-August.

What sort of user data was compromised?

According to Adobe, the hackers accessed the credit card information of around three million customers, as well as the login information of an unknown number of customers.

Any products we know about specifically?

Krebs says the hackers grabbed source code for “an as-yet undetermined number of software titles, including [Adobe’s] ColdFusion Web application platform, and possibly its Acrobat family of products.” Adobe confirms this, listing the products illicitly accessed as “Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products.”

Did anyone goof with the source code?

This matters more if you’re on the development side, but Krebs says Adobe told him that the company “has undertaken a rigorous review of the ColdFusion code shipped since the code archive was compromised,” and that it’s confident code shipped since the incident occurred is solid.

As for the rest of the source code potentially compromised, Adobe says its investigation is ongoing.

I have an Adobe account. Am I at risk?

In a security announcement issued on Thursday, Adobe writes that “the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.” It says that information — specifically user account passwords and credit card details — was encrypted, and that it believes the attackers didn’t remove “decrypted credit or debit card numbers” from its systems.

In other words, yes, you’re at risk: believing something’s the case isn’t the same as knowing. But that risk, according to Adobe, is very low.

Do I need to do anything?

Yes. Even were Adobe claiming it knew the information extracted was innocuous, you need to take basic precautions. Adobe concurs in its security announcement, writing that it’s dispatching emails to anyone whose account was potentially compromised. If you receive such an email, follow Adobe’s instructions to reset your password. And as Adobe notes, if you’ve used the same user ID and password with any other website or service, you’ll want to change the password there as well.

Anything else Adobe’s doing to rectify the problem?

The company says it’s giving customers whose credit/debit card info might have been compromised “the option of enrolling in a one-year complimentary credit monitoring membership where available.” The company says it’s also notified any banks that process Adobe-related customer payments, and that it’s pulled in federal law enforcement to help with its investigation.

6 comments
russell.x.page
russell.x.page

Adobe is saying here: <http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html> that "... the attackers accessed Adobe customer IDs and encrypted passwords on our systems." Is this for real? I hope they actually mean "hashed" passwords. And I hope that if the passwords were hashed, they are using salts and high iteration counts. I know this sounds really geeky (GEEK - General Electrical Engineering Knowledge 8-)), but this is a way of allowing people to login with a password, without the computer actually storing the password or an encrypted version of it. The technique has been publicly known since at least 1979 <http://people.eecs.ku.edu/~saiedian/Teaching/Fa12/710/Readings/Unix-salt.pdf>. Windows doesn't use it. Linked tried to do it and stuffed up the implementation. Hopefully, Adobe sensibly just listed the current implementation of the technique out of BSD or Linux.

Just a hint. Don't store your credit card details on a merchant web site. If typing it in each time you make a purchase is too tedious for you, download Keypass and store it in there. You can then paste it into the merchant website as needed.

AruxandeiCosmin
AruxandeiCosmin

 Do you want to find out more about technology, cybernetic anonymity, hackers and stuff? well, then it seems that this blog has something to tell you: https://itandtechnology.wordpress.com/ If you liked it, please get subscribed to it, and leave comments so I can get your opinion about the articles! Cheers!

scottyisgaga
scottyisgaga

This is what happens when you spend all your money on FORCING customers into something they don't want. So worried about investors they don't care about customers. Adobe is DONE.

IntangibleGuy
IntangibleGuy

An outfit of mischievous hackers tampering with the source code of products is probably the very worst that can happen top a renowned company. Much worse than simply gaining access to login credentials or credit card numbers.

It basically obliterates the trust and faith consumers have for immaculate source code. Next time I'll receive an unsolicited sw update on behalf of Adobe ... what harm will that do to the integrity of my PC ?

I don't get it that laxity on security is still the way to go even in the wake of an array of outrageous security breaches all over the world.

minstrelmike
minstrelmike

For some snarky reason, I don't believe hackers broke into Adobe in order to get the source code for ColdFusion. That's like linux hackers trying to get the source code for Windows 95.