Cyber attacks are an unfortunate reality as more and more businesses move their operations online. Earlier in October, Adobe warned customers about a series of “sophisticated attacks” against its network. The Adobe security breach allowed hackers access to private information belonging to nearly 3 million customers. The data that was accessed included user IDs and passwords, customer names, credit card details and customer order information. The hackers also had access to the source code for numerous Adobe products, including the Photoshop family of graphical design software.
Brad Arkin, Chief Security Officer for Adobe, said “We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.”
In a blog post this week by Brian Krebs, it was revealed that early estimates were far too low and the actual number of customer accounts affected by the breach may have been in the tens of millions.
According to Krebs, he has viewed evidence that contained the user names and passwords for tens of millions of accounts apparently taken from Adobe. This past weekend AnonNews.org also posted a link on their website to a 3.8gb file called “users.tar.gz” that reportedly contained information for more than 150 million Adobe user accounts.
AnonNews.org posted a link to a 3.8gb file called “users.tar.gz”
Heather Edell, spokesperson for Adobe, has since confirmed the intrusion to Krebs. She claimed Adobe had just completed an extensive campaign to notify users of the security breach and has reset the passwords of those accounts that were affected.
“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users,” Edell said. “We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident—regardless of whether those users are active or not.”
In addition to changing user passwords, Adobe has arranged for one year of free credit monitoring for those customers who had their credit card data stolen in the incident. Oddly enough, Adobe’s offering of peace comes by way of the Experian credit monitoring system. Experian, one of the three major credit bureaus, is still recovering from a recent security incident that involved the company being tricked into selling consumer records to an identity theft ring.
I recently received one of the letters that Adobe sent out to their customers. The letter confirmed the Adobe servers were attacked between September 11th and September 17th and went on to say that hackers had accessed “customer names, payment card expiration dates, encrypted payment card numbers, and other information relating to customer orders.”
Brad Arkin, Chief Security Officer for Adobe, also said “In addition, the third party used our systems to decrypt some card numbers.”
Adobe Notification Letter (Part 1)
Adobe Notification Letter (Part 2)
Adobe seems to be taking its customers’ safety seriously. While I would not recommend walking away from their offer for the year of free credit monitoring, as Krebs points out, this kind of service is not guaranteed to catch all forms of identity theft that might arise from an incident such as this. I would concur that Adobe users should also place fraud alerts on their accounts and watch their credit reports more closely.
Chris Dougherty is a grey hat hacker and online security expert. Please visit his blog, www.VirtualThreat.com, for more excellent news and information about protecting yourself in cyberspace.