It’s much worse than anyone could have imagined.
Initially estimated at a data breach of 3 million compromised customer accounts, including credit card data and order records, the total has since risen over the past month to 38 million customer accounts, and more recently, an updated estimate has pegged the number of compromised accounts at 150 million. The hackers were also able to make off with some of Adobe’s closest-guarded secrets, including the source code for Photoshop and several other major projects.
In a nutshell, this means you need to change your password if you have an Adobe account. The hacked data is now floating around on the Internet for pretty much anyone to download and view. Of the portion that was encrypted, the strength of the algorithm hasn’t been mentioned, however it is allegedly very weak, something which which begs one’s prudence to assume that it’s only a matter of time until the encrypted segments of the database are fully unmasked.
The worst part about it? As an Adobe network user, I didn’t receive any sort of notification about this disaster when the breach was first announced. I didn’t receive notice when they put the estimate at 38 million hacked accounts. No, much to the contrary, I was finally given a security notice about this matter via e‑mail on Wednesday, November 6th, 2013, more than a month after the breach was announced to the public.
I’m not a CEO or a CTO, and I generally don’t profess to tell others how to do their jobs, but I feel this whole process has been absolutely disgusting. This is not how you manage security, much less keep users’ trust. It may well be the single biggest failure I’ve seen in more than a decade, as far as damage-control strategy goes.
Adobe, you clearly need to get your house in order.
As for the rest of us who are either users or customers, here’s a test site put up by LastPass where you can determine if your account is one of the compromised ones in the stolen database. Additionally, here is the direct link to the password reset page.
UPDATE (2013–09-10): the security firm Stricture Consulting has since posted this file with a sampling of decrypted passwords. If a white-hat firm can do it, I see nothing that would prevent a truly determined cybercriminal group from attempting to decrypt the ordering and credit card records that have already been leaked. If your Adobe account was affected by the breach and you had a credit card on it, now would be the time to phone your credit card provider and explain the situation. While it seems the keys themselves have not been accessed, there is no guarantee of security on any of the client records that have been stolen and released into the public domain. It’s better to simply cancel the old card(s) and not take any risks.