Ad
Ad
Ad
Pages: [1] 2 »   Bottom of Page
Print
Author Topic: Your data is in good hands with Adobe. (Not)  (Read 9079 times)
daws
Sr. Member
****
Offline Offline

Posts: 269


« on: October 03, 2013, 06:51:57 PM »
ReplyReply

Los Angeles Times, October 3

Data, credit card numbers for 2.9 million Adobe users stolen

Quote
Adobe announced Thursday that it was the victim of a hack and that personal data for 2.9 million users were stolen.

The software company, known for Photoshop and other programs, said cyber attackers were able to access user information, including account IDs, encrypted passwords as well as credit and debit card numbers. The hackers were able to erase data of some Adobe users.

The hackers also illegally accessed source codes for numerous Adobe products. That's like stealing the secret formula for Coca-Cola.

The company did not specify which users of its various software programs were hit.

"We deeply regret that this incident occurred," Brad Arkin, Adobe's chief security officer, said in a blog post Thursday. "We’re working diligently internally, as well as with external partners and law enforcement, to address the incident."

The company said it has reset the passwords for affected customers and has contacted them with information on how to change their passwords. Adobe also recommends those users change their passwords for other websites.

For customers whose credit and debit card information was stolen, Adobe said it will send information on how they can protect themselves. The company will also offer those customers a complimentary one-year credit monitoring membership.

Adobe also said it has notified banks that process customers' payments about the attacks so they can help protect customers.

Finally, Adobe said it is working with federal law enforcement officials.



From CNET News:

The massive attack exposes customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.

Quote
Adobe announced on Thursday that it has been the target of a major security breach in which sensitive and personal data about millions of its customers have been put at risk.

Brad Arkin, senior director of security for Adobe products and services, explained in a blog post that the attack concerns both customer information and illegal access to source codes for "numerous Adobe products."

A few examples include Adobe Acrobat, ColdFusion, and the ColdFusion Builder. However, as far as the source code is concerned, Adobe assured that there is no "increased risk to customers as a result of this incident."

Adobe officials added that the investigation has not turned up any zero-day attacks either.

Unfortunately, the culprits have obtained access to a large swath of Adobe customer IDs and encrypted passwords.

Arkin specified that removed sensitive information (i.e. names, encrypted credit or debit card numbers, expiration dates, etc.) about approximately 2.9 million Adobe customers.

He added that investigators don't "believe the attackers removed decrypted credit or debit card numbers" from Adobe's systems.

While federal law officials are involved, Adobe stressed that there are some precautions that customers need to take action on now.

Adobe is resetting the passwords on breached Adobe customer IDs, and users will receive an email if they are affected. The software giant is also currently notifying customers whose credit or debit card information was exposed.

Adobe has also promised to offer these customers with the option of enrolling in a one-year complimentary credit monitoring membership where available.


« Last Edit: October 03, 2013, 06:57:18 PM by daws » Logged
Steve Weldon
Sr. Member
****
Offline Offline

Posts: 1474



WWW
« Reply #1 on: October 03, 2013, 07:17:39 PM »
ReplyReply

I am intimately familiar with the infrastructures retail corporations use to safeguard client information.  Needless to say data protection is a top priority because such breeches don't go over well with the clients and significant hits can be seen on paper by the time the bell rings.

Adobe is probably no more and no less vigilant than any other retail corporation.  IMO they are guilty of several ethic concerns but not this one.

As consumers kin charge or our own finances we really should do our due diligence when dealing on-line.  I personally use the one-credit card "just in time" method to finance on-line purchases.   I have a debit card that maintains the minimum balance necessary for the desired free services and I transfer money into the account as needed for each purchase of group of purchases.  The most I ever stand to lose is the minimum balance, the purchase amount is kept to such a limited time frame I don't consider it at risk.

This is different than the much more risky game of  using a major CC for international travel.  These days you can't help but assume some risks, but you can keep them minimized.
Logged

----------------------------------------------
http://www.BangkokImages.com
Mark D Segal
Contributor
Sr. Member
*
Offline Offline

Posts: 6983


WWW
« Reply #2 on: October 04, 2013, 01:52:51 AM »
ReplyReply

I wonder whether these companies whose data bases aren't adequately protected can be sued for negligence.
Logged

Mark D Segal (formerly MarkDS)
Author: "Scanning Workflows with SilverFast 8....." http://www.luminous-landscape.com/reviews/film/scanning_workflows_with_silverfast_8.shtml
stamper
Sr. Member
****
Offline Offline

Posts: 2824


« Reply #3 on: October 04, 2013, 03:40:10 AM »
ReplyReply

Quote Steve Reply#1

Adobe is probably no more and no less vigilant than any other retail corporation.  IMO they are guilty of several ethic concerns but not this one.

unquote

Does this mean everybody with a stored credit card can feel happy? The fact that all of them can so easily be hacked mean that we don't need to feel upset. Seeing you "know" so much about it tell us do we have contact our credit card company or does Adobe do it? Your statement smacks of complacency....at the very least. Angry
Logged

Isaac
Sr. Member
****
Offline Offline

Posts: 2921


« Reply #4 on: October 04, 2013, 11:12:15 AM »
ReplyReply

Your statement smacks of complacency....at the very least.

On the contrary, Steve Weldon clearly assumes the worst-case and tells us what he does to protect himself.
Logged
stamper
Sr. Member
****
Offline Offline

Posts: 2824


« Reply #5 on: October 05, 2013, 03:35:11 AM »
ReplyReply

On the contrary, Steve Weldon clearly assumes the worst-case and tells us what he does to protect himself.

I think he is being overly cautious because if the money is "stolen" by someone then the credit card company takes the hit. This statement might seem contradictory to my earlier concerns about money loss. However even though I know I am covered it is the hassle of changing credit card details with different vendors and at my age remembering the new code for my card. It is embarrassing in a shop when you input the wrong numbers and you have only three tries.  Grin
Logged

PhotoEcosse
Sr. Member
****
Offline Offline

Posts: 640



« Reply #6 on: October 05, 2013, 04:19:09 AM »
ReplyReply

I think he is being overly cautious because if the money is "stolen" by someone then the credit card company takes the hit. This statement might seem contradictory to my earlier concerns about money loss. However even though I know I am covered it is the hassle of changing credit card details with different vendors and at my age remembering the new code for my card. It is embarrassing in a shop when you input the wrong numbers and you have only three tries.  Grin

...and it assumes that folk actually check their credit card and bank statements. I believe that over 80% of us do not.
Logged

************************************
"Reality is an illusion caused by lack of alcohol."
Alternatively, "Life begins at the far end of your comfort zone."
stamper
Sr. Member
****
Offline Offline

Posts: 2824


« Reply #7 on: October 05, 2013, 04:48:49 AM »
ReplyReply

Not much can be done about that scenario except if it does happen then vigilance becomes uppermost in someone's mind. Experience is a great teacher...or it should be?
Logged

Steve Weldon
Sr. Member
****
Offline Offline

Posts: 1474



WWW
« Reply #8 on: October 05, 2013, 06:17:44 AM »
ReplyReply

I wonder whether these companies whose data bases aren't adequately protected can be sued for negligence.

While the old saying: "you can sue anybody for anything" holds even in this case I doubt they'd prevail.  It's far more likely the credit card company would suspend or cancel their contract due to negligence.
« Last Edit: October 05, 2013, 07:15:52 AM by Steve Weldon » Logged

----------------------------------------------
http://www.BangkokImages.com
Mark D Segal
Contributor
Sr. Member
*
Offline Offline

Posts: 6983


WWW
« Reply #9 on: October 05, 2013, 06:30:26 AM »
ReplyReply

While the old saying: "you can sue anybody for anything" holds even in this case I doubt they're prevail.  It's far more likely the credit card company would suspend or cancel their contract due to negligence.

I'd be surprised if even that happened - far too much commercial interest involved to let an even massive security glitch destroy the future cash flow.
Logged

Mark D Segal (formerly MarkDS)
Author: "Scanning Workflows with SilverFast 8....." http://www.luminous-landscape.com/reviews/film/scanning_workflows_with_silverfast_8.shtml
Steve Weldon
Sr. Member
****
Offline Offline

Posts: 1474



WWW
« Reply #10 on: October 05, 2013, 07:14:33 AM »
ReplyReply


Does this mean everybody with a stored credit card can feel happy? The fact that all of them can so easily be hacked mean that we don't need to feel upset. Seeing you "know" so much about it tell us do we have contact our credit card company or does Adobe do it? Your statement smacks of complacency....at the very least. Angry


1.  This would depend which pharmaceuticals they happen to be on..  Roll Eyes

2.    To "need" to feel upset.. probably stems from anger, maybe a feeling of helplessness, possibly financial stress, and yet another draw on our time because "some minimum wage worker" failed to do their job. This indeed is a common draw on such a situation.

But what many don't know/realize is a corporations financial suite often exceeds a lifespan of 10+ years.  The process starts with a lot of research identifying the needs, and then bids to the different contractors who design and build such systems,  lots of internal negotiations as to the best way to proceed and of course where the money comes from (because the process is expensive) and the best time frames.  And finally the teams arrive often taking from 6-18 months from arrival to roll out and testing and and finally certification.   The entire process  can take years.  And the much smaller responses to emerging conditions (a new way to hack, new or expired hardware, etc) during the evolution take their toll as well.

3.  I think this is a personality thing.  Personally I've always felt the need to be proactive concerning my finances.   How about you?

4.  Then I failed as a writer.  My apologies.
Logged

----------------------------------------------
http://www.BangkokImages.com
kers
Sr. Member
****
Offline Offline

Posts: 773


WWW
« Reply #11 on: October 29, 2013, 04:20:45 AM »
ReplyReply

Adobe Breach Impacted At Least 38 Million Users
"
The recent data breach at Adobe that exposed user account information and prompted a flurry of password reset emails impacted at least 38 million users, the company now says. It also appears that the already massive source code leak at Adobe is broadening to include the company’s Photoshop family of graphical design products "


http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/
Logged

Pieter Kers
www.beeld.nu
Doyle Yoder
Sr. Member
****
Offline Offline

Posts: 500


« Reply #12 on: October 29, 2013, 09:04:18 AM »
ReplyReply

Inside job, maybe?

http://forums.adobe.com/thread/1320791?tstart=0
Logged
Tim Lookingbill
Sr. Member
****
Offline Offline

Posts: 1213



WWW
« Reply #13 on: October 29, 2013, 11:13:06 AM »
ReplyReply

Thanks for posting this...REALLY!

As a recent ID theft victim (both credit card & IRS fake tax refund in my name) that Krebs link lead me to the Dept of Justice online press release stating the arrest of the owner of Superget.info from referencing this Krebs link...

http://krebsonsecurity.com/2013/10/experian-sold-consumer-data-to-id-theft-service/

http://www.justice.gov/opa/pr/2013/October/13-crm-1116.html

This issue, and from what I'm seeing is shared by lot of others as well, has lead to a petition to the US gov. demanding corporations that have databases hacked to inform every individual that their personal info was stolen and not just offer some blanket email alert to change an account password.

Experian most likely is going to get sued over what they did, but I do think Adobe needs to take a more active role in informing their customers on issues like this.

I still don't know for sure how my personal information was stolen since I practically live like a hermit and have never lost my wallet. Due to the timing I know my ID theft victimization was not on account of Adobe being hacked.

It just that Krebs report is the first I've heard of what I linked above and Krebs himself. I've been quite busy this morning seeing how many other ways ID has accidentally or intentionally been released.
« Last Edit: October 29, 2013, 11:15:21 AM by Tim Lookingbill » Logged
PierreVandevenne
Sr. Member
****
Offline Offline

Posts: 510


WWW
« Reply #14 on: October 30, 2013, 05:19:40 AM »
ReplyReply

This issue, and from what I'm seeing is shared by lot of others as well, has lead to a petition to the US gov. demanding corporations that have databases hacked to inform every individual that their personal info was stolen and not just offer some blanket email alert to change an account password.

It just that Krebs report is the first I've heard of what I linked above and Krebs himself. I've been quite busy this morning seeing how many other ways ID has accidentally or intentionally been released.

Krebs is a bit like the Michael Reichman of IT Security issues impacting customers. He's very well connected, understands the details and the overall impact of info he receives and his thoughts are extremely valuable.

As far as laws are concerned, there are laws in many places nowadays, one of the first was California. Discussed here when it was announced (http://www.securityfocus.com/news/1984).

Leaving aside the fact that a large batch of hash passwords is roughly 85% as useful as a batch of plain text to competent hackers, we have to take into account that Adobe itself doesn't necessary knows and will not necessarily know what happened. The standard semi-reassuring but vague language of the initial release, which I commented a bit in another post, made that clear.

A typical incident often evolves like this

Credit Card companies identify a pattern in frauds. That pattern points to people who have been customer of company X or store Y. Credit Card contacts X and Y. They are unaware they have been compromised and start an investigation at that point. Potential breach sources are identified and examined. Depending on the logging available, on how well the forensic aspects were handled, on how competent the hackers were, this can take a long time and yield partial results. And, while in practice investigations do complete, there's still the lingering doubt of having missed something. It's not easy to see where the line has to be drawn. Even if it wanted to (which is doubtful given the initial details) there isn't a single moment where one can say "we have everything, we disclose everything, case closed".

Last but not least, replacing 38.000.000 credit cards has a cost. There will be a cost vs risk analysis at the bank and CC level. In the late 90s, the RSA factors of the French bank cards were compromised: in practice, that meant that people could withdraw cash with phantom cards. Banks and IT security specialists were aware of it, quite a few hackers as well. But changing the system for that single reason was seen as too expensive and a "fix as you go" plan was put in place. It lasted for years...


Logged
Doyle Yoder
Sr. Member
****
Offline Offline

Posts: 500


« Reply #15 on: October 30, 2013, 10:38:55 AM »
ReplyReply

And now my CC company is so paranoied that they block authorization at the smallest whim, this with in less that two weeks after issuing a new number.

Should I notify them that I will not do business with Adobe ever again?
Logged
Tim Lookingbill
Sr. Member
****
Offline Offline

Posts: 1213



WWW
« Reply #16 on: October 30, 2013, 01:23:40 PM »
ReplyReply

Quote
And, while in practice investigations do complete, there's still the lingering doubt of having missed something. It's not easy to see where the line has to be drawn. Even if it wanted to (which is doubtful given the initial details) there isn't a single moment where one can say "we have everything, we disclose everything, case closed".

So this is why a lot of the ID theft victim's experiences (a lot of them from talking to CSR types) voluntarily disclosed to me after my insistence on not giving out SSN/DOB has everyone one of them state the culprits were never caught and they (the ID victims) were never out of pocket because the CC and/or bank's insurance covered the loss.

Which helps me understand this a bit more...

Quote
But changing the system for that single reason was seen as too expensive and a "fix as you go" plan was put in place. It lasted for years...
Logged
Tim Lookingbill
Sr. Member
****
Offline Offline

Posts: 1213



WWW
« Reply #17 on: October 30, 2013, 01:37:48 PM »
ReplyReply

And now my CC company is so paranoied that they block authorization at the smallest whim, this with in less that two weeks after issuing a new number.

Should I notify them that I will not do business with Adobe ever again?

I'm trying to remember the last time I bought any software directly off Adobe's site which I would've used my credit card, but my last purchases CS3, CS5 and Lightroom were discs bought through Amazon.

I wish I knew if Adobe REALLY had my credit card info on file, but on looking back it would had to have been the old "HSBC" Household bank version that was destroyed and reissued with a new number back in March of 2012, new info I know for a fact I didn't update on Adobe's site. And I know for a fact I didn't buy directly off Adobe's site from that point onward.
« Last Edit: October 30, 2013, 01:39:42 PM by Tim Lookingbill » Logged
thierrylegros396
Sr. Member
****
Offline Offline

Posts: 672


« Reply #18 on: October 31, 2013, 01:42:49 PM »
ReplyReply

Adobe hack affects 38 million users, not 2.9 million.

http://www.dpreview.com/news/2013/10/30/adobe-hack-affects-38-million-users-not-2-9-million?utm_campaign=internal-link&utm_source=news-list&utm_medium=text&ref=title_0_7

No Adobe Cloud for me !!
Logged
PierreVandevenne
Sr. Member
****
Offline Offline

Posts: 510


WWW
« Reply #19 on: November 01, 2013, 01:09:01 PM »
ReplyReply

Enjoy - up to 135 millions now

http://arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers/

That's just priceless.

but I also have to apologize: in my comments I put the word encrypted in quotes because I couldn't believe that the password file was actually encrypted with a symetric algorithm and thought they used the word as a generic term for hashing or salted hashing (most non tech users wouldn't make the difference).

But, no, they actually encrypted it. :-( Apparently this was only a backup, and Adobe claims it uses standard decent methods now (salted hashes) but leaving aside questions of key length, mode for the block cipher (ECB is bad state my ... 1990 cryptographic books), known plaintext attacks, etc... one could also wonder if, since the hackers took source code, Adobe's own LDAP directory etc... if they simply did not also have access to the backup encryption key. As already noted, a careful parsing of Adobe's releases indicate that the password file wasn't decrypted on Adobe servers.

Or is it stored on a Post-It note in one of Adobe's IT security guys wallet?

EDIT wrong number corrected
« Last Edit: November 01, 2013, 01:12:06 PM by PierreVandevenne » Logged
Pages: [1] 2 »   Top of Page
Print
Jump to:  

Ad
Ad
Ad