Adobe Has Been Hacked!

It’s much worse than any­one could have imagined.

Ini­tial­ly esti­mat­ed at a data breach of 3 mil­lion com­pro­mised cus­tomer accounts, includ­ing cred­it card data and order records, the total has since risen over the past month to 38 mil­lion cus­tomer accounts, and more recent­ly, an updat­ed esti­mate has pegged the num­ber of com­pro­mised accounts at 150 mil­lion. The hack­ers were also able to make off with some of Adobe’s clos­est-guard­ed secrets, includ­ing the source code for Pho­to­shop and sev­er­al oth­er major projects.

In a nut­shell, this means you need to change your pass­word if you have an Adobe account. The hacked data is now float­ing around on the Inter­net for pret­ty much any­one to down­load and view. Of the por­tion that was encrypt­ed, the strength of the algo­rithm has­n’t been men­tioned, how­ev­er it is alleged­ly very weak, some­thing which which begs one’s pru­dence to assume that it’s only a mat­ter of time until the encrypt­ed seg­ments of the data­base are ful­ly unmasked.

The worst part about it? As an Adobe net­work user, I did­n’t receive any sort of noti­fi­ca­tion about this dis­as­ter when the breach was first announced. I did­n’t receive notice when they put the esti­mate at 38 mil­lion hacked accounts. No, much to the con­trary, I was final­ly giv­en a secu­ri­ty notice about this mat­ter via e‑mail on Wednes­day, Novem­ber 6th, 2013, more than a month after the breach was announced to the pub­lic.

I’m not a CEO or a CTO, and I gen­er­al­ly don’t pro­fess to tell oth­ers how to do their jobs, but I feel this whole process has been absolute­ly dis­gust­ing. This is not how you man­age secu­ri­ty, much less keep users’ trust. It may well be the sin­gle biggest fail­ure I’ve seen in more than a decade, as far as dam­age-con­trol strat­e­gy goes.

Adobe, you clear­ly need to get your house in order.

As for the rest of us who are either users or cus­tomers, here’s a test site put up by Last­Pass where you can deter­mine if your account is one of the com­pro­mised ones in the stolen data­base. Addi­tion­al­ly, here is the direct link to the pass­word reset page.

UPDATE (2013–09-10): the secu­ri­ty firm Stric­ture Con­sult­ing has since post­ed this file with a sam­pling of decrypt­ed pass­words. If a white-hat firm can do it, I see noth­ing that would pre­vent a tru­ly deter­mined cyber­crim­i­nal group from attempt­ing to decrypt the order­ing and cred­it card records that have already been leaked. If your Adobe account was affect­ed by the breach and you had a cred­it card on it, now would be the time to phone your cred­it card provider and explain the sit­u­a­tion. While it seems the keys them­selves have not been accessed, there is no guar­an­tee of secu­ri­ty on any of the client records that have been stolen and released into the pub­lic domain. It’s bet­ter to sim­ply can­cel the old card(s) and not take any risks.

Comments are closed.