The reverberations from the theft of user data associated with Adobe Cold Fusion, Acrobat, Acrobat Reader and PhotoShop accounts continued this week. On Wednesday, Automattic (see disclosure) notified users of its paid WordPress VIP service that it would reset their passwords if their user information was in the affected Adobe database.
In a blog posted Nov. 13, the company explained:
Recently Adobe had a large user account compromise incident and information was accessed including email addresses. As a precaution and proactive security measure, we’ll shortly reset the passwords of those WordPress.com VIP users whose emails matched the Adobe compromised user account list.
The company said it reset about 1,600 user passwords as a precaution and all of those users were notified and instructed to log in and re-set those passwords immediately. It also recommended that all customers activate two-factor authentication on their accounts.
News of the Adobe breach came in early October.
Adobe reset passwords for all of the users whose then-current credentials — their Adobe account ID with encrypted password — were in the database at the time of the attack and advised any customers who had used the same passwords on other accounts to change them as well.
An Adobe spokeswoman reiterated that in a statement Friday, adding that “Adobe welcomes the initiative taken by WordPress and other service providers to reset user passwords as a precaution in an effort to help protect our mutual customers.”
This has been a big embarrassment for Adobe. It’s bad that user information was compromised but experts said the theft of the actual source code to widely used products was an even bigger problem. Hackers can pore over that code to find and exploit vulnerabilities which could then take some time to be discovered.
Disclosure: Automattic, maker of WordPress.com, is backed by True Ventures, a venture capital firm that is an investor in the parent company of this blog, GigaOm. Om Malik, founder of GigaOm, is also a venture partner at True.