Adobe's security breach in October was far more serious than believed

Adobe announced that it had suffered a security breach in early October that had resulted in the compromise of approximately 3 million customers' data as well as the loss of some proprietary source code. Attackers made away with customers' names, encrypted payment card numbers, and card expiration dates as well as the code for the ColdFusion web application and its Acrobat programmes. KrebsOnSecurity, the firm that spotted the initial attack has now placed the figure of customers affected by the breach at some 38 million, and the source code that was lifted is also said to include Photoshop. According to the KrebsOnSecurity blog, it has taken some time to uncover the extent of the violation because:

At the time, a massive trove of stolen Adobe account data viewed by KrebsOnSecurity indicated that — in addition to the credit card records – tens of millions of user accounts across various Adobe online properties may have been compromised in the break-in. It was difficult to fully examine many of the files on the hackers’ server that housed the stolen source because many of the directories were password protected, and Adobe was reluctant to speculate on the number of users potentially impacted.

Over the weekend, a large file of username and hashed password pairs was posted by AnonNews.org, which appear to be Adobe account details.

Adobe has contacted all of the active customers whom it believes to have been affected and claims that there has been no 'unauthorised activity' on any of the compromised accounts since the attack. It now remains for the inactive customers to be contacted. And regardless of whether users were active or inactive, their passwords were reset if Adobe believed that they were affected by the attack.

Whether Adobe chose to downplay the extent of the attack earlier in the month because it couldn't be certain of the number of affected customers or because it prefered to minimise the damage does not present it in the best light. One scenario makes it look careless, the other deceptive. I wonder how many customers are now looking for alternative products and providers... or waiting for a replicant based on the stolen code?

(Headsup to Engadget)

Update! Heather Edell, Adobe's Senior Manager of Corporate Communications emailed me in the early hours of 30 October. She stated that:

In our public disclosure, we communicated the information we could validate. As we have been going through the process of notifying customers whose Adobe IDs and passwords we believe to be involved, we have been eliminating invalid records. Any number communicated in the meantime would have been inaccurate. So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and what were at the time valid, encrypted passwords for approximately 38 million active users. We have completed email notification of these users. We believe the attackers also obtained access to many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data. We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident. Our notification to inactive users is ongoing. We currently have no indication that there has been unauthorized activity on any Adobe ID account involved in the incident.

In short: 2.8 million users had their names, encrypted payment card numbers, and card expiration dates filched by the attackers. An additional 38 million users had their user IDs and encrypted passwords stolen. However, because Adobe was unable to validate the number of users affected by the loss of user IDs and encrypted passwords, it did not disclose this initially. It has waited until it has more accurate figures.