Previous news story    Next news story

Adobe accounts hacked, data exposed for 2.9 million customers

By dpreview staff on Oct 3, 2013 at 22:51 GMT

Cyber attackers breached Adobe's security recently, compromising data on 2.9 million customers. Data accessed includes 'customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders,' according to a company blog post.

The attack exposes a weakness in the company's new Creative Cloud subscription model, which omits the 'bits-in-a-box' distribution method in favor of faster access to software updates through a monthly subscription. Adobe says it's working with law enforcement to address the security breach. See the press release below for more.


Press Release:

Important Customer Security Announcement

POSTED BY BRAD ARKIN, CHIEF SECURITY OFFICER ON OCTOBER 3, 2013 8:08 AM IN EXECUTIVE PERSPECTIVES

Cyber attacks are one of the unfortunate realities of doing business today. Given the profile and widespread use of many of our products, Adobe has attracted increasing attention from cyber attackers. Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. We believe these attacks may be related.

Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident. We’re taking the following steps:

  • As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. We also recommend that you change your passwords on any website where you may have used the same user ID and password.
  • We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.
  • We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.
  • We have contacted federal law enforcement and are assisting in their investigation.

We are also investigating the illegal access to source code of numerous Adobe products. Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident. For more information, please see the blog post here.

We value the trust of our customers. We will work aggressively to prevent these types of events from occurring in the future. Again, we deeply regret any inconvenience this may cause you. If you would like additional information, please refer to Adobe’s Customer Support page.

Brad Arkin

Chief Security Officer

Comments

Total comments: 138
12
Nukunukoo
By Nukunukoo (6 months ago)

Gonna change my credit card details now, just to be sure. X(

Comment edited 22 seconds after posting
0 upvotes
Lawrencew
By Lawrencew (6 months ago)

I am not sure why people are blaming this on Creative Cloud and seeing it as a "nail in the coffin" of Cloud Computing in general.

Even if customers had purchased physical 'bits-in-a-box' or purchased a one-off download of software they could use in perpetuity (such as Lightroom), they would likely still have done this by registering with Adobe and providing their credit card details, and ticking an option to allow Adobe to store those details as is common with many on-line retailers.

Creative Cloud and Cloud Computing changes little in that respect of of e-commerce.

What it does do I guess is focus all that activity on Adobe itself, rather than numerous retailers who would each of taken the transaction. So the problem is putting all your eggs in one basket. (something that Adobe could address by architecting it's systems in such a way that a single attack cant crack all the eggs)

Comment edited 4 minutes after posting
1 upvote
Mogens
By Mogens (6 months ago)

Well what CC does is to require you to always have current and correct information in the database of Adobe.
My information in their system was fortunately from an old out of date location and credit card so I should be safe.
Anyone in CC should change credit card to be safe.

3 upvotes
GodSpeaks
By GodSpeaks (6 months ago)

For one, the difference is the size of the target.

Adobe is a BIG target. On the other hand, a retailer is a much smaller target, even a retailer like B&H.

2 upvotes
abolit66
By abolit66 (6 months ago)

"I am not sure why people are blaming this on Creative Cloud"
Because adobe deserve it. every bit of it.

7 upvotes
Just a Photographer
By Just a Photographer (6 months ago)

Now we know why Adobe called their new suite 'Credit Card'.
First they hack the software, now they have hacked all customers credit cards.

7 upvotes
Hugo600si
By Hugo600si (6 months ago)

"which omits the 'bits-in-a-box' distribution method in favor of faster access to software updates through a monthly subscription"
I think its clear for all, it omits normal software distribution in favor of greed and control by a megalomanic company.

2 upvotes
Jon Lewis
By Jon Lewis (6 months ago)

Another nail in CCs coffin

2 upvotes
RStyga
By RStyga (6 months ago)

"Adobe reported what it called a “sophisticated” cyberattack on its network..." reports MacWorld Australia.

God forbid, if it wasn't "sophisticated", what would that mean for your security measures, right Adobe?

11 upvotes
Horshack
By Horshack (6 months ago)

Cue the AmEx commerical..."I bought a CC subscription and all I got was lousy rent-to-never-own software and an unauthorized charge to my credit card from some guy named Gunther who apparently likes to patronize foot-fetish porn establishments in Eastern Europe."

Comment edited 25 seconds after posting
23 upvotes
Ergo607
By Ergo607 (6 months ago)

A.D.O.B.E.
All Data Open in the Blink of an Eye

24 upvotes
GodSpeaks
By GodSpeaks (6 months ago)

Another nail in the coffin of Adobe and 'Cloud' computing in general.

13 upvotes
CameraLabTester
By CameraLabTester (6 months ago)

The thieves loved this.

Swiping small incremental amounts on a monthly basis sure does effectively goes under the radar of even the most scrutinizing bean counter accountant.

Those $5.95 on your statements could well be from them varmints...

.

5 upvotes
Stefanie
By Stefanie (6 months ago)

Thanks to the creative crap model, Adobe has to store a lot of creditcard information. I wouldn't be surprised if their encryption isn't that sophisticated and safe as they say. For me Adobe has lost any credibility and trust a long time ago.

13 upvotes
nunatak
By nunatak (6 months ago)

"Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available."

as if this gets them off the hook. their security lapses are causing additional work (time and money) for all those involved, and at a bare minimum should compensate customers with a full years rebate or a full years free subscription. customer's choice. i trust Adobe to keep my data safe, and if they can't guarantee security they should go back to physical releases.

how many times should we renew our credit card numbers and passwords because of lame assed security? deeply aggrieved.

Comment edited 2 minutes after posting
11 upvotes
b534202
By b534202 (6 months ago)

Good luck if you're looking for more stuff.
Sony got hacked even harder and they still only gave people a year of credit monitoring and a 30 day subscription.

0 upvotes
Mark Alan Thomas
By Mark Alan Thomas (6 months ago)

A credit monitoring membership which auto-renews and is difficult to quit?

5 upvotes
justinwonnacott
By justinwonnacott (6 months ago)

Now I am mad ... I do not want to rent anymore. I hope this becomes big news so that every potential rental customer knows about this catastrophe.

29 upvotes
BJN
By BJN (6 months ago)

Bob.brown in comments at Ars Technica: "Adobe has not reset customer passwords. Instead, after you log in, there's a link to a "Customer security alert" which provides instructions for resetting your own password.. In other words, customers who do not log in regularly are (apparently) waving in the wind. I was able to sign in a minute or so ago with my old password."

I can confirm this is true. If you have an Adobe account you have to log into your account (Adobe Forums will do it) to get a reset request. Adobe was hacked back in August, by the way.

23 upvotes
fireplace33
By fireplace33 (6 months ago)

changing your Adobe password sounds like a wise step, but if the thieves allready have all your credit card details, then maybe that card should be changed as well?

3 upvotes
GrizzlyAK
By GrizzlyAK (6 months ago)

Seems like criminals would forget about Adobe, Microsoft, and every other company out there. They only need to hack the NSA since they have all the relevant information on EVERYONE! <grin>

6 upvotes
GrizzlyAK
By GrizzlyAK (6 months ago)

The Cloud is a joke. Anyone who would put their personal or corporate data, or creative work, willingly into the hands of a vendor that you have to pay rent to to use their products (or any company, for that matter), isn't serious about data security, or is just uninformed. I recently bought CS6 Master anticipating that it will be the last Adobe product I buy, ever, i.e., if the 'cloud' is the future for Adobe products. This is not a business model we end users want for the future of SW. That wouldn't be an option to users of CC. All you photographers and creatives ask yourself this: What happens 5 years from now when you've stopped paying rent and someone wants to pay you a premium for that fantastic PS file you created from that perfect image. Um... Go ahead, commit to a 12 month lease so you can access the file. Yeah, didn't think so.

27 upvotes
BJN
By BJN (6 months ago)

You can do the more expensive monthly option, but I agree with your main point. With many Adobe applications, as versions increment ahead files are no longer backwards-compatible either. I'm on Creative Cloud and despise it. There have been file-corrupting bugs - Photoshop text attributes interacting with layers is one - and Adobe rolls out new features that break things even as you must update in order to patch older issues.

5 upvotes
LIMD
By LIMD (6 months ago)

That is the new model of software distribution - release constantly untested software and release patches and patches for patches...

If I'm not wrong google started this with Chrome versions, firefox catched on it and rest followed.

I preffer old release cycle...

2 upvotes
Sean Clark
By Sean Clark (6 months ago)

The flash and acrobat plugins have been on the unending patch cycle since before Chrome was written and are still constant security problems. Did Adobe hire ex Outlook programmers?

0 upvotes
Jim Radcliffe
By Jim Radcliffe (6 months ago)

Adobe and its shareholders made themselves a target for this. Is anyone really surprised?

9 upvotes
thx1138
By thx1138 (6 months ago)

Oh yeah, this was never going happen. The Cloud is the future, the Cloud is your friend, the Cloud is secure and without end and with Adobe in tow you'll spend, spend , spend.

31 upvotes
Zanziboy
By Zanziboy (6 months ago)

Information security is just an oxymoron. As long as companies and governments entrust the management of their server networks to outside agencies, there will always be hacks like this.

0 upvotes
Henry M. Hertz
By Henry M. Hertz (6 months ago)

let´s see what john nack has to say... im pretty sure he is working on excuses all day.

i hope people wake up some day.
it´s not only adobe... all this data mining and cloud stuff is crap.

learn to protect your privacy!

5 upvotes
ecm
By ecm (6 months ago)

The real story is how few of us actually care WHAT happens to Adobe any more.....

34 upvotes
Henry M. Hertz
By Henry M. Hertz (6 months ago)

+1

2 upvotes
howardroark
By howardroark (6 months ago)

Nobody deserves to have their personal information stolen, but this is one of the consequences of allowing a company to have all your current credit information for a subscription service. Adobe can't be trusted to secure your information or take care of its loyal customers that want to simply buy a license. Suck it, Adobe.

5 upvotes
zmotula
By zmotula (6 months ago)

I decided to bite the bullet about ten years ago after going through an activation hell with my legit copy of Fireworks. (My sin was that I forgot to deactivate the copy on my machine before I reinstalled the OS.) I swore never to let any Adobe software on my computer any more and every time I see a news story about Adobe, I am happy about that decision.

1 upvote
sebastian huvenaars
By sebastian huvenaars (6 months ago)

Well, i kinda care. I very much like using Adobe's software, seeing them destroying their self like they do is a sad thing.

Does this mean i feel sympathy for Adobe? Not a bit, greedy fckrs haha :P

Comment edited 47 seconds after posting
2 upvotes
Robert Kovacs
By Robert Kovacs (6 months ago)

Adobe's great "secure" Creative Cloud. They can keep it!!.

12 upvotes
sportyaccordy
By sportyaccordy (6 months ago)

Welcome to the cloud!

12 upvotes
Optimal Prime
By Optimal Prime (6 months ago)

Poetic justice.

15 upvotes
garyknrd
By garyknrd (6 months ago)

+1

1 upvote
chuirox
By chuirox (6 months ago)

The real story here is that little paragraph about access to source code. They got the Acrobat source code, and if you think Acrobat was a dangerous vector before, wait a month or two. PDFs are going to be so toxic that no company in their right mind will be running Acrobat. If ever there was a time for FoxIt, Nuance, or some other PDF software, it's now.

8 upvotes
zoob
By zoob (6 months ago)

wow. You are so right.

1 upvote
Higuel
By Higuel (6 months ago)

? o_O

0 upvotes
Digitall
By Digitall (6 months ago)

I think Hackers hates Adobe, also. The pressure of the shareholders and the rush of profit led to neglect of safety, a word that both Adobe sells this product is safety. How can we be sure of our work in the sophisticated Adobe. Who sows the wind, reaps the whirlwind. Nice one Adobe.

9 upvotes
Diopter
By Diopter (6 months ago)

keeping simple may be popular again some day

11 upvotes
moogle73
By moogle73 (6 months ago)

Adobe, how bout you go back to what your good at, make good software, sell it to your customers on disks like the good old days, and let me (and every other customer) keep our own files secure... thanks.

- From a customer who is no longer a customer as I refuse to buy into your "rent my software" extortion scheme.

46 upvotes
Eric Sorensen
By Eric Sorensen (6 months ago)

My thoughts exactly.

4 upvotes
SETI
By SETI (6 months ago)

+100
Was 15 years with Adobe and now I'm glad I'm not in CC

2 upvotes
NancyP
By NancyP (6 months ago)

Nothing here suggests that the damage is limited to CC customers. People who bought their software outright may also be at risk.

8 upvotes
shoevarek
By shoevarek (6 months ago)

This is a good point. If I remember correctly one must create account in order to buy software like Lightroom or PS directly from Adobe. I do not remember what credit card payment system they use but they might be storing that information too if you buy online.

0 upvotes
howardroark
By howardroark (6 months ago)

Only with the option to purchase your software you can buy a disc from anywhere and even use cash should you so desire.

1 upvote
windsprite
By windsprite (6 months ago)

Not me. I paid cash for mine at a brick and mortar shop.

3 upvotes
Graham Hill
By Graham Hill (6 months ago)

Great job Adobe! Way to go, to make the cloud so attractive!

14 upvotes
glasswindow
By glasswindow (6 months ago)

Nobody ever said clouds were secure.

1 upvote
moogle73
By moogle73 (6 months ago)

worst part is, if I were a betting man, that is the whole point of this "security breach" make the cloud solution even LESS appealing than it already is. More times than not, corporations don't get hacked until they step on the wrong toes and make the wrong people mad, then they become a target. If I were a betting man, with how many people got upset with their "cloud only services" and no longer selling software outright that they are pushing. I would bet you had more than your share of people who use adobe products who are also apart of the larger hacking groups out there (like anonymous, but not saying it was them) hence putting them on "the list" as a target. They wanted to make sure there was a breach, smearing adobe's cloud services as unsecured, foolish, and hopefully creating even more backlash than what already exists. In my eyes its pretty clear whats going on here, but that would be "if I were a betting man" situation.

2 upvotes
mike kobal
By mike kobal (6 months ago)

neither are glasswindows ;)

0 upvotes
RobertSigmund
By RobertSigmund (6 months ago)

One more reason to do without Adobe in the future.

27 upvotes
Total comments: 138
12