Adobe announced that it had suffered a security breach in early October that had resulted in the compromise of approximately 3 million customers' data as well as the loss of some proprietary source code. Attackers made away with customers' names, encrypted payment card numbers, and card expiration dates as well as the code for the ColdFusion web application and its Acrobat programmes. KrebsOnSecurity, the firm that spotted the initial attack has now placed the figure of customers affected by the breach at some 38 million, and the source code that was lifted is also said to include Photoshop. According to the KrebsOnSecurity blog, it has taken some time to uncover the extent of the violation because:

At the time, a massive trove of stolen Adobe account data viewed by KrebsOnSecurity indicated that — in addition to the credit card records – tens of millions of user accounts across various Adobe online properties may have been compromised in the break-in. It was difficult to fully examine many of the files on the hackers’ server that housed the stolen source because many of the directories were password protected, and Adobe was reluctant to speculate on the number of users potentially impacted.

Over the weekend, a large file of username and hashed password pairs was posted by AnonNews.org, which appear to be Adobe account details.

Adobe has contacted all of the active customers whom it believes to have been affected and claims that there has been no 'unauthorised activity' on any of the compromised accounts since the attack. It now remains for the inactive customers to be contacted. And regardless of whether users were active or inactive, their passwords were reset if Adobe believed that they were affected by the attack.

Whether Adobe chose to downplay the extent of the attack earlier in the month because it couldn't be certain of the number of affected customers or because it prefered to minimise the damage does not present it in the best light. One scenario makes it look careless, the other deceptive. I wonder how many customers are now looking for alternative products and providers... or waiting for a replicant based on the stolen code?

(Headsup to Engadget)

Update! Heather Edell, Adobe's Senior Manager of Corporate Communications emailed me in the early hours of 30 October. She stated that:

In our public disclosure, we communicated the information we could validate. As we have been going through the process of notifying customers whose Adobe IDs and passwords we believe to be involved, we have been eliminating invalid records. Any number communicated in the meantime would have been inaccurate. So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and what were at the time valid, encrypted passwords for approximately 38 million active users. We have completed email notification of these users. We believe the attackers also obtained access to many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data. We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident. Our notification to inactive users is ongoing. We currently have no indication that there has been unauthorized activity on any Adobe ID account involved in the incident.

In short: 2.8 million users had their names, encrypted payment card numbers, and card expiration dates filched by the attackers. An additional 38 million users had their user IDs and encrypted passwords stolen. However, because Adobe was unable to validate the number of users affected by the loss of user IDs and encrypted passwords, it did not disclose this initially. It has waited until it has more accurate figures.

Adobe has issued a communication to all of its customers this morning that it has sustained an attack to its network and its system has been breached. As a consequence, anyone who has conducted a transaction with Adobe has potentially had their name, encrypted payment card number, and card expiration date accessed by the attackers, although the number of affected customers has been placed at 2.9 million by Adobe's Chief Security Officer, Brad Arkin. Adobe does not believe that any decrypted card numbers were removed from their systems. The recommendation is for all Adobe customers to change their account passwords, which you can do by following this link, and to change the passwords of any accounts that might share your original Adobe password or ID. You should also keep a close eye on your bank transactions, be alert for any unusual payments, and to notify your bank if you spot anything untoward.

In addition to customer data, proprietary sourcecode for the ColdFusion web application and Acrobat programmes were filched. This has the potential to open up millions of users to security breaches, if the hackers can capitalise on any security holes or bugs in the code. Just think how many people use Acrobat.

The breach was spotted by Brian Krebs of Krebson Security; he has asserted that the hackers responsible were also behind the LexisNexis hack and it probably commenced at some time in mid-August.

Keep alert, people, and please remember to practise proper password security.

(Most information came direct from Adobe, some additional details from Ars Technica)

Adobe's security breach in October was far more serious than believed

Adobe's undergone a security breach. Time to reset your passwords.