
Important Customer Security Announcement - driverdan
http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html
======
Osmium
> We also believe the attackers removed from our systems certain information
> relating to 2.9 million Adobe customers, including customer names,
> _encrypted credit or debit card numbers_ , expiration dates, and other
> information relating to customer orders. At this time, we do not believe the
> attackers removed decrypted credit or debit card numbers from our systems.

Well that's reassuring(!) If these hackers were so "sophisticated" then
presumably they could have obtained Adobe's decryption keys too? If not, why
not?

Guess I'll have to phone my bank tomorrow... hope they don't charge me for the
new card. Oh Adobe...

Edit: It just occurs to me that people with pirated Adobe software aren't
having any problems right now. The same argument could be made of any service,
of course, but at least with the old way of purchasing Adobe software (vs.
Creative Cloud) Adobe didn't have to store your credit card number for an
extended period of time. I don't think this excuses piracy, but it's not going
to do anything to discourage it.

~~~
davvid
_We also believe the attackers removed from our systems certain information
relating to 2.9 million Adobe customers, including customer names, encrypted
credit or debit card numbers, expiration dates, and other information relating
to customer orders_

On first reading I had a split-second where I thought the attackers did
everyone a favor by _deleting_ the data; e.g. "drop table
customer_financial_data". Unfortunately they meant the ~other~ kind of
"removal". I think "obtained" would have been a better word to use here
(instead of "removed").

~~~
wglb
Exfiltrated.

------
bcn
More details from Brian Krebs' blog post -
[http://krebsonsecurity.com/2013/10/adobe-to-announce-
source-...](http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-
customer-data-breach/)

    
    
      "KrebsOnSecurity first became aware of the source code leak roughly one week ago...with fellow researcher Alex Holden...discovered a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll."
    
      "The hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat."

~~~
keyle
Well good luck to them with the source of Acrobat and PDF reading/writing.

I'd rather obtain minified javascript.

~~~
spoiler
Well, it might finally shed some light in the Mayan/Inkan/Aboriginal, or just
plain out cryptic and esoteric secrets of why the hell the PSD format is so
inconsistent and annoying to work with!

------
ChikkaChiChi
Less than 1 year into forcing their users to 'The Cloud' for future updates,
Adobe has proven incompetent at protecting our data (and even their own).

I feel particularly bad for the design houses that have entrusted Adobe with
their intellectual property because it was supposed to be safe who now have to
rethink how safe their assets really are.

------
nutjob123
Much more interesting than the customer data: "We are also investigating the
illegal access to source code of numerous Adobe products". In the linked blog
post they say: "Adobe is investigating the illegal access of source code for
Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products by an
unauthorized third party"

~~~
kunai
It's about time. I hate to be one to advocate piracy, but this massive leak of
source was something that we needed desperately.

It's illicit, but it will help free software and reverse engineering in a huge
way. Adobe doesn't deserve to manipulate its users with CC like it's doing
right now.

~~~
conductor
We can expect more 0-day exploits for Adobe Acrobat.

~~~
uladzislau
I suspect not only Acrobat but it might be any PDF reader.

~~~
brisance
I don't understand. Aren't there open source PDF readers out there already,
that has had its code checked and audited?

------
chestnut-tree
Some naive questions from someone who genuinely doesn't know: how is it that a
company cannot detect when someone downloads a giant database of sensitive
personal information from their servers? Surely, there are ways to monitor
access to this data and immediately flag suspicious behaviour? How do the
intruders even find the location of this data and then download it? Isn't
there some best practice security measures that can prevent of all of these
things? I presume Adobe failed at all of them?

~~~
drone
>how is it that a company cannot detect when someone downloads a giant
database of sensitive personal information from their servers? Surely, there
are ways to monitor access to this data and immediately flag suspicious
behaviour

There are classes of products related to this specific task, generally we call
them "DLP" or _Data [Leak|Loss] Prevention_.

What we don't know, is how the information was transferred from the servers,
and how much different that traffic looked compared to normal activity. It's
easy enough to catch a credit card number flying through a plain HTTP packet
over the network in the wrong direction, but it gets much harder when the
party trying to transfer that data is intentionally attempting to avoid
detection.

> Isn't there some best practice security measures that can prevent of all of
> these things

Yes, but none of them are perfect, and even if they were, they would require
perfection from human operators. (Perfectly configure, maintain, monitor,
etc.) And, of course, they assume you can identify a threat before it leads to
compromise.

------
eksith
I was told repeatedly that I was a sucker for buying Adobe products (I own CS3
and never found it necessary to upgrade) instead of pirating. Well, I'm
conflictingly feeling like a sucker.

Conflictingly because my CC info has since expired, but other personal data
would still be in their records. I wonder how far back they keep those, but I
guess I'll find out soon enough if I'm in the lot.

Edit: If anyone is worried about the source getting leaked giving rise to
0-day exploits and the like, you can at least move away from Reader into
something like Sumatra PDF (open source). If all you need is a reader, it's a
very handy alternative and far more nimble with resources (no I'm not part of
their project. I'm just a very happy user)

------
Samuel_Michon
> certain information relating to 2.9 million Adobe customers

It would be nice to know how many user accounts Adobe manages, so that I can
better estimate the likelihood of my accounts being affected. If they only
have 2.9 million accounts, I should be worried; if they have 100 million
accounts, I should still worry but perhaps a little less so.

I have not (yet) received an email from Adobe regarding this latest attack,
but I have an Adobe Creative Cloud subscription as well as several Typekit
accounts. I use 1Password to generate passwords, but of course that doesn’t
protect my credit card information.

------
aroch
This quote from the Krebs post is both laughable and horribly saddening. Even
Adobe can't manage to keep Adobe software installs up to date

>Arkin said the company has not yet determined whether the servers that were
breached were running ColdFusion, but acknowledged that the attackers appear
to have gotten their foot in the door through “some type of out-of-date”
software.

------
plg
I wonder if this is why my university IT dept just broadcast an email saying
that Adobe is "auditing" every computer on campus for the university's site
license. They want to come into everyone's office and labs and run some
"script" on every machine that does who knows what. Needless to say I said "no
thank you".

------
keyle
We need some technology that makes our Credit Card numbers change every few
days.

I am shocked that most people think it's OK these days to drop the "Oops,
nasty baddies bad bad got in and there goes your details, so so sorry, come
again."

If this happens to some small startup with the one PHP nerd that doesn't
really know what he's doing (and is underpaid anyway) - that's fine. Or at
least acceptable. You're living on the edge.

But a Fortune 100 company... COM'ON.

~~~
tlrobinson
Some credit card companies let you generate expiring CC numbers for specific
purchases, but that's a lot of work, and wouldn't work for recurring purchases
(like Adobe Creative Cloud)

~~~
nivla
>Some credit card companies let you generate expiring CC numbers.

I know Citi Credit card lets you do that.

> and wouldn't work for recurring purchases (like Adobe Creative Cloud)

It could. If I remember correctly, Citi card lets generate three types of
Virtual Cards. One based on the expiration (less than a month), another based
on the maximum amount/balance (where expiration is about a year) and finally a
combination of both.

Virtual credit-cards are real handy especially when trying those 30 day trial
services.

~~~
unclebucknasty
Yeah, AMEX used to allow one-time use numbers with its Platinum Corporate Card
(maybe other cards as well). But, they stopped years ago. Don't know if it was
hard to manage or if I was just the only one using it, but I loved it.

Seems that another way to solve this for recurring payments would be to
likewise issue a virtual number. But, only the merchant with a particular
Merchant ID could apply a charge to that number.

In general, it's actually a strange concept that we walk around with these
wide open payment methods that only require that a dishonest person acquire a
few bits of information to abuse with impunity.

~~~
tanzam75
> _Yeah, AMEX used to allow one-time use numbers with its Platinum Corporate
> Card (maybe other cards as well). But, they stopped years ago. Don 't know
> if it was hard to manage or if I was just the only one using it, but I loved
> it._

Very few people used it

But there is an additional problem, from American Express's point of view.
Virtual credit card numbers are patented by Orbiscom, which was acquired by
MasterCard in 2009.

~~~
unclebucknasty
Interesting. I wonder if non-virtual credit numbers are patented (i.e. the
very idea of credit cards)? I'm sure I could look that up, but too lazy.

Pretty ridiculous though.

On a related note, I just came across this:

[http://storefrontbacktalk.com/securityfraud/the-big-three-
cr...](http://storefrontbacktalk.com/securityfraud/the-big-three-credit-card-
cos-aim-to-revamp-security/)

 _> Visa, MasterCard and American Express proposed new global standards to
replace traditional account numbers with a digital payment “token” for online
and mobile transactions._

So, either they are licensing it from Orbiscom, ignoring the patent, or it
doesn't apply here.

In any case, it's good news. Looks like some semblance of virtual numbers will
return on a standardized, more global basis.

~~~
tanzam75
Credit cards have been around in their present form since the 1960s. And
magstripe credit cards have been around since the 1970s. So patents on the
basic technology have long since expired. (Of course, there are all sorts of
ancillaries that were developed later -- CVV2 numbers, AVS, fraud-detection,
etc.)

The article talks about _replacing_ 16-digit card numbers with a new payment
infrastructure. The Orbiscom technology produces virtual card numbers that are
backwards-compatible with existing 16-digit credit card numbers.

------
coldcode
How does source code leak in such an attack? Why would customer facing servers
and databases share a network with a code repository?

~~~
zmmmmm
That's kind of a scary part to it. Large organisations don't colocate code and
credit card numbers. They carefully segment things and isolate them to
completely separate silos in completely unconnected systems.

So I would infer that the attackers obviously had access at a very high level,
probably compromising the credentials of someone very senior with very high
privileges. Which in turn means they could almost certainly have compromised
the encryption keys and would be most likely to do so _before_ downloading the
actual CC data.

------
pdknsk
> encrypted passwords

Somewhere, oclHashcat makes room temperature rise.

------
tigerweeds
Maker of the most insecure end-user software in human history gets hacked.
Karma, it is a bitch.

------
jere
I love how I have no emails from Adobe today except for Creative Cloud
advertisements. Thanks.

~~~
unclebucknasty
No emails here either.

Hmm. Maybe the fraudsters literally _took_ the data. As in, Adobe no longer
has our email addresses with which to notify us.

It may as well be that ridiculous.

------
slowdown
As a customer who just made a purchase from Adobe a few hours ago, I feel good
and horrible at the same time. I feel good that their source code was stolen
(I will explain why). I feel bad that my credit card was compromised.

Around November 2011, Apple screwed up one of it's premier softwares (Final
cut pro) and Adobe jumped right in and offered a 50% discount to all of its
Creative suites (version: 5.5). Their pitch then was - "Apple screwed up, try
ours and hey, if you buy the suite, it's yours forever and you get peace of
mind". And so I bought the Windows edition of one of their suites. A year
later, CS6 was announced and I decided to wait for sometime before upgrading.
Just to be clear, I shelled out almost $1000 on the CS 5.5 version.

In the last few months, I made the switch to a Mac and I found out that my
license for Windows wouldn't work on a Mac. Fortunately, Adobe seemed to
provide a "crossgrade" path, wherein I can just swap my platform at no
additional cost. Sounds good? No. Except that you can't swap from an older
version (CS 5.5) to a newer version (CS 6). You can only switch between
platforms of the two same versions. Okay, that's in a way fair enough, since
it's been over a year anyway and it's time to upgrade. So, let me just upgrade
to CS6, I thought.

This is where it started to get messy. I searched for links to upgrade to CS6,
and I did find a few. But they all re-directed to the stupid Creative Cloud
edition. WTF?

[1]
[http://www.adobe.com/mena_en/products/creativesuite.html‎](http://www.adobe.com/mena_en/products/creativesuite.html‎)

I searched and searched and finally found a link that worked. I placed an
order and 24 hours later, my order was cancelled for no reason. I had to
search for that link I found earlier, again. After giving up finding the link,
upon contacting customer support, I was tried to be pushed into the stupid
Creative Cloud platform, again.

    
    
        Support: Based on what we have discussed I highly recommend that you purchase Creative Cloud which includes Photoshop CC for images, Indesign CC for print design, Illustrator CC for graphics, Flash Pro CC for animations, After effects CC for adding effects and plus more.
        Support: Plus you will get all the upgrades and updates for free of cost.
        Support: You can install CC on 2 system both on mac/ Windows.
        Support: I am sure CC will meet all your requirements.
        you: Oh no thank you, please. It doesn't fit my budget. Once I stop paying, everything is gone, unlike in the case of a CS 6 install.
        Support: I do understand your concern, however, going forward there is no upgrade path available since CC is replaced by CS6.
        (WTF)?
    
        you: Do you mean to say, that I can't upgrade from Cs 5.5 to 6?
        Support: The upgrade path from CS6 to CS7 is not available, since CC is replaced by CS7.
        you: Yes, I understand that.
        you: I don't need CC ma'am, really.
        you: It doesn't fit my needs.
        Support: That's okay.
        Support: Let me provide you with the link to upgrade to CS6 production premium, okay.

(Finally!)

It's funny I had to spend so much time with support to purchase CS6, since
Adobe clearly conveys that it intends to sell CS6 indefinitely.
[2][http://www.adobe.com/products/cs6/faq.html](http://www.adobe.com/products/cs6/faq.html)

Even though the support person gave me the link to buy CS6, I thought it would
be a good idea to probably re-consider CC again. So I checked on the Creative
Cloud page to see if I could just pay $45 for say, about two months and later
upgrade to CS6. But, again, Adobe tries to backstab its users. IF you cancel
your CC subscription before 1 year, you will be billed 50% of the total amount
(50% of ($45x12)) as a penalty. WTF?!! So, basically they want to beat their
users to the ground as much as they can.

I decided to try alternatives, because I really wanted only a good Photoshop-
like program and nothing else more (at that point). So, I searched, but I
couldn't find. Now, this is highly deceptive on Adobe's part because they play
a monopoly role clearly and they decided to backstab their users all of a
sudden.

There is no easy way to buy CS6, there is no easy way to subscribe to CC for
just a few months and the calculations they demonstrate are also deceptive at
best. CC is more expensive than the boxed product.

One of my friends is a blogger, he has a huge follower count. Adobe contacted
him and gave him a free 1 year subscription to CC. I was curious and I found a
lot of bloggers reporting the same. One thing that was common in most of these
Adobe contacted bloggers' posts, was how their stress to explain how the CC
version was effectively cheaper than their boxed version.

So basically Adobe is _indirectly_ bribing bloggers to write good stuff about
their CC subscription.

Adobe's CEO is an incompetent backstabber who is totally fit for nothing. This
was the same guy who argued with Steve Jobs that Flash on mobile rocks and
later discontinued it. Backstab #1. I was a Flash developer previously. I was
even jobless for a few days because I relied so much on this technology.

Adobe's CEO also backstabbed the much capable Flex eco-system. Do you know how
many Flex developers are jobless now? Backstab #2.

And the Creative cloud (CC). Backstab #3.

That is why I feel happy that their source code was stolen. I was a genuine
customer amongst a million others who just wanted to pay ONCE to use my
software. I could have pirated like many others, but I didn't. I trusted them.
But they took a U turn and decided to shoot us in the back.

Also, this guy is never straightforward: [http://gizmodo.com/5984191/adobes-
ceo-completely-refuses-to-...](http://gizmodo.com/5984191/adobes-ceo-
completely-refuses-to-answer-questions-about-unfair-pricing)

This guy is incompetent and needs to be replaced. Atleast someone should file
a class action suit for abusing their monopoly.

~~~
Samuel_Michon
> Around November 2011, Apple screwed up one of it's premier softwares (Final
> cut pro)

I understand why you would say that, but I don’t agree. At the time, I used
Final Cut Pro 7 daily and when Final Cut Pro X was released, I didn’t
immediately switch to it. I waited for multicam editing and XML export, and
Apple delivered. That’s when I switched to Final Cut Pro X and it was a great
improvement over version 7. When Adobe came up with Creative Cloud, I signed
up. That meant I got Adobe Premiere as part of the package, but after trying
it, I still much preferred Final Cut Pro 7. Comparing Premiere and Final Cut
Pro X, for me, it’s not even a contest. With Final Cut Pro X, I’m way more
productive than I ever was in FCP 7, Avid, Premiere or Media100.

Apple could’ve done better by offering the first few releases of FCP X as a
free beta, but right now, FCP X is a way better product than FCP 7 ever was.

~~~
slowdown
My argument is not about which of the two companies' products are better.
Probably Apple's is better, but the creative suite at a 50% off was a deal not
to be missed for me at that time (It included Photoshop, Illustrator, After
Effects, Premier and Audition)

~~~
Samuel_Michon
Oh, I’m not disputing that, and I too took advantage of that offer. I’m still
very happy with Creative Cloud, with its more frequent updates and lower
pricing. Premiere just isn’t for me. (I did use Premiere extensively back in
the 90s, but that was before FireWire, digital camcorders, and FCP.)

------
petercooper
Could this result in a huge fine or penalty, not least due to potential PCI
DSS violation? Here in the EU, it'd be a big data protection issue as well.

------
pirho
Here's the email...

\----------

Important Password Reset Information

To view this message in a language other than English, please click here.

We recently discovered that an attacker illegally entered our network and may
have obtained access to your Adobe ID and encrypted password. We currently
have no indication that there has been unauthorized activity on your account.

To prevent unauthorized access to your account, we have reset your password.
Please visit www.adobe.com/go/passwordreset to create a new password. We
recommend that you also change your password on any website where you use the
same user ID or password. In addition, please be on the lookout for suspicious
email or phone scams seeking your personal information.

We deeply regret any inconvenience this may cause you. We value the trust of
our customers and we will work aggressively to prevent these types of events
from occurring in the future. If you have questions, you can learn more by
visiting our Customer Alert page, which you will find here.

Adobe Customer Care

------
uslic001
Just another reason for me to continue to despise Adobe. Thankfully I bought
my version of Acrobat Pro on Amazon so they did not have my credit card, but
still Adobe handed all my other information over to the hackers due to poor
security practices. Thankfully I also had used Lastpass to generate a unique
password for their site.

------
ChuckMcM
I expect this sort of thing will be the ultimate death of 'cloud' computing in
the sense Adobe and others would have you use that term.

There is tremendous "pain" here (both for vendors and for customers) which, if
effectively addressed, could be the next Google or Apple.

~~~
simula67
Can you please explain what you meant ?

Are you saying we need to create a cloud service that is completely secure (
which we know is impossible ). My understanding is that CloudFlare is already
tackling the security aspects of hosted services and seem to be doing well.

~~~
ChuckMcM
_Can you please explain what you meant ?_

Sure, and note that my background has included secure systems design work.

Secure systems operate under a couple of constraints. It is as you posit,
impossible to make a 'completely secure' system, just as it is impossible to
make a 'completely safe' airplane (and the 'impossible' here means that such a
system continues to be usable or commercially viable). But generally if you
can make a 'secure enough' or 'safe enough' system, then you can still make a
business out of it.

Using a fairly simple example, general residences in the US are not secured
against experienced thieves, but in general experienced thieves aren't trying
to steal things out of random houses, they go for specific houses. So the
system "works" because you aren't getting broken into every day. And if the
house next door is burglarized your house is no less secure than it was the
day before.

But in a cloud system the thieves get tremendous economy of scale, rather than
breaking into one house they can break into every house in the city. In that
way even if you don't have 'much' if you have _anything_ they can steal it.

Cloud computing both ties together high value and low value targets on the
same system, and makes the total return of compromising the system higher in
proportion to the number of users of that system. That is a real challenge
because now everyone needs really really good locks on their houses, the costs
go up and the usefulness goes down.

------
bitserf
Well, pretty happy I bought Lightroom through Amazon right about now.

Reason: Adobe charges basically double the US price in Australia/NZ if you buy
from them directly, and I refuse to pay a location tax since it costs them
zero dollars extra to send me bytes through CDNs.

~~~
jestar_jokin
Support staff and localised service centres still need to be paid for somehow.
Also, sales staff, business liaisons, legal staff to deal with local laws and
regulations, all the managers to manage them, etc. With a smaller potential
userbase in Aus, they can't subsidise the support costs across as many people,
so maybe that's why they charge more.

~~~
bitserf
Those are the Adobe responses to Australian government when queried about the
discrepancy, correct.

Not sure how much localisation is required since Australia, like New Zealand,
is an English speaking Western democratic country.

Pretty sure we could understand US vernacular and cultural differences.

Call it what it is: Discriminatory pricing because they think that is what the
market will bear. Fine, but I feel free to work around it as well.

------
hunvreus
I used to pay for Photoshop and Illustrator too, until I realized Adobe was
more interested in adding clutter-ware (Adobe Updater, anyone?) than trimming
down and speeding up their monstrosity of a code base.

After a while on Inkscape I am now running with:

\- Sketch ([http://www.bohemiancoding.com](http://www.bohemiancoding.com)) as
a replacement to Illustrator (vector drawing).

\- Acorn ([http://flyingmeat.com/acorn/](http://flyingmeat.com/acorn/)) as an
alternative to Photoshop for bitmap design (though it now supports vector
drawing, much like Photoshop).

I am not affiliated in any way.

~~~
richforrester
1) Adobe Updater works fine for me now that they've got CC; lots more frequent
updating.

2) Sketch/Acorn are not available on Windows.

Not saying you're wrong; just saying I disagree :)

~~~
hunvreus
The few times I got to play with Photoshop/Illustrator on Windows I felt the
experience (performance, responsiveness etc) was overall better than on MacOS.
Admittedly, I've owned mostly laptops since 2005.

------
driverdan
Why was the title changed from the informative "Adobe Accounts Hacked" to the
useless and generic "Important Customer Security Annoucement"?

------
QuiteMouse
I refuse to use the cloud services anymore. I may be using a version of
Photoshop that is 4 years old, but it does the job and does it well. There are
some new features that I'd like to have, yes, but it's a small price to pay
when compared to having all your personal information compromised.

------
slowdown
This sucks, especially considering the fact that I just made a purchase a few
hours ago :/

~~~
mongol
Then you are probably lucky since the intrusion likely was earlier than that.

------
jlgaddis
> POSTED BY BRAD ARKIN, CHIEF SECURITY OFFICER

Time to dust off the ol 'résumé, Brad.

------
chmars
Have you had success with your password reset?

I always get an error message:

 _The provided email address could not be matched to an account on file.
Please try again._

Thanks to 1Password, I am pretty sure that the provided mail address is
correct …

------
unclebucknasty
Awesome. That's two breaches in one day from two different companies with
which I've done business.

This is out of control. The bad guys are winning. Time for a new paradigm.

------
ibstudios
No word on whether or not they encrypted passwords? ...Sigh.

~~~
bstrand
"Our investigation currently indicates that the attackers accessed Adobe
customer IDs and encrypted passwords on our systems."

~~~
ibstudios
Thanks!

------
elwell
Well if the cc #'s were encrypted at least half as esoterically as the PDF
file format, we have nothing to worry about.

------
grogenaut
Looks like not even adobe does the daily update / reboot requires when adobe
software is installed.

------
Havoc
Adobe seems to be in the business of producing security flaws...

------
zapt02
This is huge.

