8 Comments

Summary:

Source code from Photoshop as well as Cold Fusion and Acrobat was also taken. And Adobe has found that data for 38 million active users was accessed.

Security-binary numbers

Remember that Adobe source code breach that freaked everyone out? Well, it’s worse than we thought. It turns out that it affected not “just” Acrobat, Acrobat Reader and Cold Fusion users, but Photoshop users as well. The number of people impacted is well over the 3 million customers that Adobe  originally noted.

Update: Adobe said in early October that it believed hackers accessed names, encrypted credit card and expiration dates and other data for about 2.9 million customers. But in addition, its investigation has now confirmed that attackers “obtained access to Adobe IDs and what were at the time valid, encrypted passwords for approximately 38 million active users,” according to an Adobe spokeswoman.

Again, Yikes.

The news was reported late Tuesday by Reuters and KrebsOnSecurity, the website of security expert Brian Krebs who helped unearth the breach originally.

Krebs quotes an Adobe spokeswoman, which acknowledges that the attackers accessed Adobe IDs and encrypted passwords for “approximately 38 million active users.”  Adobe has notified those people via email and reset the passwords for the affected Adobe IDs, she said. The company’s investigation also found that source code for Photoshop, as well as the other products, was accessed, she said.

The issue with source code theft is that the bad guys can go through the code, line by line, to find vulnerabilities and start exploiting them long before anyone knows what’s going on.

It was a bad week in security. On Monday, someone used a compromised user account to  gain access to access some user data at MongoHQ, a  company that supports and hosts MongoDB databases.

I’ve reached out to Adobe for further comment and will update this report when I get it.

Note: This story was updated at 12:15 p.m. PDT October 30 with information about a MongoHQ security breach and again at 4:16 p.m. PDT with clarification from Adobe on the total number of customers impacted.

  1. Nicholas Paredes Wednesday, October 30, 2013

    Good thing Adobe didn’t just move to a cloud model! They are not getting my debit card again. Tis sad how many companies require monthly payments that should never be trusted with the data.

    Share
    1. @nicholas did you get an email notification from adobe re the breach? Are you using photoshop or cold fusion? curious as to their outreach to affected parties.

      Share
      1. They’ve actually done an amazing job…it’s awful these things happen, but they notified me by mail, and email. In addition, they notified my bank, who then issued me a new card, and offered a free subscription to a credit monitoring site.

        While I’m still miffed about it happening, I think they went above and beyond in customer service after the breech.

        Share
        1. Did they update your account for you everywhere you make automatic payments? Of course not, because a) they can’t and b) you’re unlikely to give them your number again. Will they compensate you for making those updates yourself?

          So let’s review: They were careless with your data, it cost you real time, money, and worry, possibly some fees if you miss some accounts and a payment is late. Even though monitored, you could also get negative credit reports from anyone you miss trying to charge your defrauded account(s). Oh, and you have a new “best friend” in the monitoring service. (Hmm – I wonder if they have an interest in that company.)

          I’m just not sure WHAT you think they went above and beyond regarding customer service. The bare minimum that public relations would allow?

          Share
        2. Did they update your account for you everywhere you make automatic payments? Of course not, because a) they can’t and b) you’re unlikely to give them your number again. Will they compensate you for making those updates yourself?

          So let’s review: They were careless with your data, it cost you real time, money, and worry, possibly some fees if you miss some accounts and a payment is late. Even though monitored, you could also get negative credit reports from anyone you miss trying to charge your defrauded account(s). Oh, and you have a new “best friend” in the monitoring service. (Hmm – I wonder if they have an interest in that company.)

          I’m just not sure WHAT you think they went above and beyond regarding customer service. The bare minimum that public relations would allow?

          Share
  2. It’s disappointing to see that Cyber Security does not receive the attention it demands in today’s modern era. One thing that has been exposed in this field, however, is the inability or really the imperfections of all Anti-virus engines on the market. I would encourage you to read how companies like OPSWAT are leading the way in multi-scanning and endpoint protection.

    Share
  3. I’ve made a little tool that lets you check for your e-mail in the list: http://adobe.breach.il.ly/

    Share
  4. Thank you Illysm! I used your tool and found out my email and acct. info was exposed. I went back into my gmail acct. and found that Adobe did email me on Oct. 16th but it was buried under the mountain of subscribed to emails this account is now run over with….

    Barb, no letter in the mail for me or credit subscription just the email….

    Share

Comments have been disabled for this post