PDA

View Full Version : Adobe User Accounts - HACKED!!!



Kym
05-10-2013, 9:21am
http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html


Important Customer Security Announcement Posted by Brad Arkin, Chief Security Officer on October 3, 2013 8:08 AM (http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html) in Executive Perspectives (http://blogs.adobe.com/conversations/category/executive-perspectives)
Cyber attacks are one of the unfortunate realities of doing business today. Given the profile and widespread use of many of our products, Adobe has attracted increasing attention from cyber attackers. Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. We believe these attacks may be related.
Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident. We’re taking the following steps:


As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. We also recommend that you change your passwords on any website where you may have used the same user ID and password.



We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.



We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.



We have contacted federal law enforcement and are assisting in their investigation.

We are also investigating the illegal access to source code of numerous Adobe products. Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident. For more information, please see the blog post here (http://blogs.adobe.com/asset/2013/10/illegal-access-to-adobe-source-code.html).
We value the trust of our customers. We will work aggressively to prevent these types of events from occurring in the future. Again, we deeply regret any inconvenience this may cause you. If you would like additional information, please refer to Adobe’s Customer Support page (http://www.adobe.com/go/customer_alert).
Brad Arkin
Chief Security Officer



Change your account password and your credit card now - thanks to Adobe security. :eek:

ricktas
05-10-2013, 10:04am
Ouch...not good!

chappo1
05-10-2013, 10:13am
I presume this means the creative cloud? I am still weighing up the pros and cons. Maybe wait a little longer...john

MrQ
05-10-2013, 10:15am
It's a shame I had to hear of this through general news sites. Adobe has my email address (and possibly so do the hackers) and they're quick enough to send adverts special offers, so an email to customers about the problem may have been a good first step.

I suppose the good news is that I also haven't had an email from them to tell me that my account was one of those compromised. Fingers crossed that this remains the case.

Anybody else on here heard anything from Adobe about this?

ricktas
05-10-2013, 1:57pm
Adobe are asking EVERY person who has an account with them to reset their password:

http://helpx.adobe.com/x-productkb/policy-pricing/customer-alert.html?promoid=KHQGF

fess67
05-10-2013, 4:59pm
I got an email from Adobe. Stuff happens and as they say it is a part of doing business in todays market.

Kym
05-10-2013, 6:59pm
I got an email from Adobe. Stuff happens and as they say it is a part of doing business in todays market.

There is really no excuse for a multi-billion dollar company to not have their security sorted.
Modern web security must be multi-level and this sort of hack is an indictment on an IT company.
Heads should roll including the CEO!

agb
05-10-2013, 8:11pm
There is really no excuse for a multi-billion dollar company to not have their security sorted.
Modern web security must be multi-level and this sort of hack is an indictment on an IT company.
Heads should roll including the CEO!
My thoughts too Kym. With all the specialists that they have its a dismal effort.

ricktas
05-10-2013, 8:24pm
The other issue that has occurred and has not had as much focus, in relation to all this, is that the hackers also got access to, and downloaded, a lot of the Adobe source code. This could mean that, down the track, you get an advice that Adobe Reader needs an update etc, and you go ahead and run the update, but the update could contain viruses etc, and actually be from the hackers, not adobe.

The effects of this hack could be felt for months/years

Mark L
05-10-2013, 9:11pm
There is really no excuse for a multi-billion dollar company to not have their security sorted.
Modern web security must be multi-level and this sort of hack is an indictment on an IT company.
Heads should roll including the CEO!

Especially when they are forcing you to use their products via the web.

MrQ
05-10-2013, 9:18pm
Especially when they are forcing you to use their products via the web.
It's not just the Creative Cloud users. My wife got the "your account was compromised" email this afternoon and she'd only signed up for some Acrobat thing years ago.

Kym
05-10-2013, 9:22pm
It's not just the Creative Cloud users. My wife got the "your account was compromised" email this afternoon and she'd only signed up for some Acrobat thing years ago.

It is ALL Adobe accounts. As Rick said, the fallout of this will go on for a long while

Kym
05-10-2013, 9:31pm
El Reg http://www.theregister.co.uk/2013/10/03/adobe_major_hack/

Inq http://www.theinquirer.net/inquirer/news/2298679/adobe-hack-sees-29-million-customers-data-stolen

/. http://it.slashdot.org/story/13/10/03/221248/adobe-hacked-almost-3-million-accounts-compromised

FWIW this sort of issue is likely to push people to have © infringed versions of Adobe products so their credit card does not have to be held by Adobe

Kym
06-10-2013, 9:49am
Vote against CC here: https://www.change.org/petitions/adobe-systems-incorporated-eliminate-the-mandatory-creative-cloud-subscription-model

johndom
06-10-2013, 8:31pm
Hadnt felt motivated to upgrade to the CC as I really only use photoshop. Less so now.

ricktas
06-10-2013, 8:34pm
Hadnt felt motivated to upgrade to the CC as I really only use photoshop. Less so now.

But if you purchased photoshop online and downloaded it, thus you have an Adobe account, you need to change your password, and your credit card details may have been compromised. This is not limited to the Creative Cloud users!

MrQ
06-10-2013, 9:14pm
It looks like Adobe is insisting on password changes whether or not your account was one of those compromised. I just logged in to manually change mine and had to reset the password before I could even get to my account details.

ricktas
06-10-2013, 9:24pm
It looks like Adobe is insisting on password changes whether or not your account was one of those compromised. I just logged in to manually change mine and had to reset the password before I could even get to my account details.

Yep, which makes you wonder if the issue is bigger than they have let on.

MrQ
07-10-2013, 10:07am
It looks like Adobe is insisting on password changes whether or not your account was one of those compromised. I just logged in to manually change mine and had to reset the password before I could even get to my account details.
Scratch that. I received the "your account was hacked" email from Adobe this morning (about five hours after I changed my password and more than day after my wife got her email). Either their email system is still chugging through the backlog or Adobe is still discovering just how much data was compromised.

What a mess.

ricktas
23-10-2013, 7:00am
Adobe are still sending out the password reset email. Friend of mine got their email overnight. my guess is the first round were those that were likely compromised, and now they are resetting everyone else as well (just in case)

Kym
06-11-2013, 12:44pm
It gets worse... http://it.slashdot.org/story/13/11/05/1655225/stolen-adobe-passwords-were-encrypted-not-hashed

Bottom line the hacked passwords were encrypted not hashed.

Why does that matter?
Brute force attack can unencrypt the passwords giving the hackers the original password in plain text whereas a hashed password is much harder to find the original password.
If you use the same password on multiple sites then the hacker has your password for those other sites.

ricktas
09-11-2013, 4:16pm
and in more news from Adobe:

1.9 million people had used '123456' as their Adobe password. Half a million had used 123456789, and an equally idiotic of 350,000 had used 'password'.

If people are silly enough to do this, even I could hack their accounts!

arthurking83
09-11-2013, 6:19pm
If that was the case .. the simple passwords used, then the most likely method of password cracking would have been brute force.
So I'd suspect that if a proper Adobe account holder had used a proper password, then brute force attempts at getting into these accounts may have been both slower or even futile.

I'm thinking that if this is the sort of user account that was hacked, that many of those accounts were either dummy accounts(maybe not used or simply just set up because you have too) and so not a major issue for a legitimate account holder to worry too much about.

Of course the database shouldn't have been entered into at all, so major bad on Adobe's part there and inexcusable really.

A recent news item on the topic had it that well over 100 million(150 million?) accounts were hacked too .. not the 1 million, or 38 million previously thought to have been broken into.

ricktas
10-11-2013, 1:53pm
Another bit of information:

The file that was obtained by the hackers was 9.3GB. That is a LOT of user account data.

bricat
11-11-2013, 7:36am
"If you use the same password on multiple sites then the hacker has your password for those other sites.[/QUOTE]

So then they have to read my mind to guess what other sites I access? I don't think I have much information on any site that it would matter, but we trust these sites we access to have good security. Some are better than others or more importantly perceived by hackers to be a "target" for information.

Kym
14-11-2013, 8:42pm
So then they have to read my mind to guess what other sites I access? I don't think I have much information on any site that it would matter, but we trust these sites we access to have good security. Some are better than others or more importantly perceived by hackers to be a "target" for information.

Not you specifcally, but using the hacked account data to have bulk probe attempts at banking and other sites.
Turns out that computers are very good at doing the same thing over and over very quickly. :D

Once the probe software finds lots of accounts then feeds that info back to the crooks when then start ID theft etc.