

Adobe hack: At least 38 million accounts breached - tareqak
http://www.bbc.co.uk/news/technology-24740873

======
isomorphic
Adobe's security breach undermines their new Creative Cloud licensing model,
because Creative Cloud requires an ongoing trust in Adobe in order to continue
functioning. A boxed software (or one-off download) model is transactional,
requiring less trust. (One can, at least, firewall boxed software to limit
potential damage.) Since Creative Cloud is subscription-based, one has to
maintain an account with Adobe to keep the software working.

As someone dithering about transitioning from Creative Suite to Creative
Cloud, receiving Adobe's letter was a slap in the face.

Given that the breach not only included accounts and credit cards, but also
_source code_ , I believe it's reasonable to speculate about potential
exploits, including exploits in the Creative Cloud deployment mechanism. Going
a little further into paranoia, I wonder if running Creative Cloud is
potentially equivalent to running a trojan delivery system. I.e., how do we
know Adobe's servers are _now_ secure? Adobe is being cagey about the extent
of the breach; the breach may have included internal Adobe credentials that
can only be solved by a system-wide nuke-and-pave.

I really _want_ to buy Adobe's new software, but they're making it extremely
difficult for me.

------
toddmorey
It's maddening that their default position offers no real amends for their 38
million impacted customers, save for a free year of credit monitoring.
Canceling my card and getting it reissued is not trivial.

It's not so much the breach as it is the lackluster response and lack of
ownership of the problem that has me ready to cancel the service. Even the
original blog post, which reported only 1/10th of the real information leak,
started with: "Cyber attacks are one of the unfortunate realities of doing
business today. Given the profile and widespread use of many of our products,
Adobe has attracted increasing attention from cyber attackers."

Sure those are valid statements, but they don't really help me feel good about
the Adobe platform going forward, and they do more to pass responsibility than
to claim ownership.

~~~
jlmorton
You should not be upset with Adobe. You should be upset with your payment card
provider.

This industry has systematically externalized the cost of these data breaches,
and the security systems necessary to try to prevent them, to every other
business and end-user in the country.

There are many ways to solve this problem. Europe has largely solved this
problem, and using your antiquated American credit card in Europe is not only
difficult, but even if possible will elicit crazy looks.

What other industry today would you trust that the only security is a 16 digit
number that you repeatedly share with the world and your zip code? And to
think this is how we secure our money?

Adobe is offering a service that costs at the least tens of dollars to 38
million people. What is your credit card offering?

~~~
bronbron
> Europe has largely solved this problem, and using your antiquated American
> credit card in Europe is not only difficult, but even if possible will
> elicit crazy looks.

Wait what does Europe do? Just genuinely curious, and a cursory google search
didn't return anything.

~~~
hfx
Chip and pin cards.

I can confirm, when I first came to the UK four years ago, only major
retailers seemed willing to accept my Canadian CC, and even then, the cashier
usually had to call the manager to confirm that it's ok.

Another thing I have to credit Europe with is the lack of proprietary debit
card systems like Interac or Plus. It's all done via Visa/Mastercard Debit, so
you're never forced to do your online shopping on credit.

~~~
Zombieball
Coming from Vancouver, I assumed chip & pin cards were widespread across
Canada (they are here). I suppose this is not the case?

------
cptskippy
They've already started putting that stolen data to good use too.
[http://i.imgur.com/nm6qMGy.png](http://i.imgur.com/nm6qMGy.png)

~~~
at-fates-hands
I connected my old Yahoo account to my Adobe ID and within days of the breach,
my Yahoo account locked up due to "suspicious activity" on it and I had to
jump through a few hoops to get it reinstated.

Thank god I didn't have any credit card info on my Adobe account.

~~~
wiredfool
Ah. That explains the flickr forced pw change n days ago.

------
uptown
Quite the increase from their original estimate of 2.9 million.

~~~
cygwin98
PR damage control.

BTW, Adobe seems to be a vulnerable giant to be taken over. Not sure why no
startups target them.

~~~
cmbaus
I think they have, but it is subtle. It could be argued that Instagram was a
shot over Adobe's bow.

~~~
cygwin98
Not sure if Instagram is a competitor to Adobe though, maybe over their low-
end mobile apps. I was thinking of Adobe's cashcow -- Creative Suite. That
could be a good niche market for C++ programmers from game companies to build
their startups on.

Adobe of today is like RIMM in 2007 before the original iPhone was announced.

~~~
samman
I was just thinking this morning about how from a technology standpoint Adobe
seems to be way ahead of virtually everyone else at the moment. The only
competing (pro to prosumer level) applications I've seen that are comparable
with regard to features and polish to anything in Adobe's suite seem to be
video editors (Final Cut, Vegas, Premiere), and maybe something like Aperture.
It gives me a lot more respect for what Gimp and Inkscape are trying to
accomplish, but it's a very long road they have ahead of them.

In the low-end space there was the Aviary suite, which despite really
interesting potential seems to have pivoted to mobile. Pixelmator and
Paint.NET have done an extremely good job at providing basic layered image
editing functionality, but I don't see anything emerging to challenge Adobe
yet.

A competitor in the Pro/Prosumer space would need to develop, from scratch,
extremely sophisticated, feature-rich applications to replace Adobe's big 4:
Image Editing, Vector Graphics, Motion Graphics, and Video Editing. They'd
also need to tightly integrate these applications. This would be HARD. I don't
think that the effort/risk/reward proposition looks very attractive for
startups or their investors. Also, while game programmers might have some
useful experience, I think that computer vision programmers would be much more
familiar with the problem domain.

Apple, or maybe Corel probably would have done this a long time ago if it was
feasible.

~~~
camus2
Adobe only dominates the photo editing / print sector. They are not the
industry standard neither in motion graphics nor video editing. They are
losing the web developper market and they could be losing the web and game
graphics market too ( ince they killed Fireworks ).

~~~
samman
That's a fair point. Photoshop and Illustrator are definitely their flagship
products, and I didn't even bother mentioning their web tools (HTML5 is
rapidly making Flash a legacy/zombie product, and I don't think there's any
single clearly dominant web design/dev tool/toolchain -- although I'd argue
that the majority of mockups still occur in Photoshop, and slicing up PSDs for
the web is still done). I mentioned Premiere and After Effects because they're
the other 'big' apps that Adobe develops, and they do integrate tightly with
their main 2-- but as you mentioned, Premiere and AE definitely have very
healthy competition.

Which brings up an interesting question...if After Effects and Premiere have
strong competition, why don't Photoshop and Illustrator have equally strong
competitors? I've already taken a guess, but I'm interested in other
perspectives.

------
revisionzero
I know there is an auditing process whenever a breach occurs, so it somewhat
makes sense. However, it really seems like companies intentionally announce a
'smaller' breach only followed up (99% of the time) with a 'massive' breach.

I would much prefer a initial 'massive' breach announcement (when possible),
as that would breath a higher a level of transparency and honesty.

~~~
freehunter
As someone in the information security industry, it's a balance between
getting the information quickly and getting the information completely.
Especially in the case of a major organization who needs to communicate with
customers. You're going to catch flak for not saying anything fast enough, and
you're going to catch flak for saying something inaccurate.

In breeches I've been involved with, some companies would prefer to do the
full investigation and _then_ present the information to their customers (in
accordance with the policy of whatever state they fall under the jurisdiction
of). Others would rather let their customers know that there was a breech as
soon as possible, while the investigation was ongoing (even if the information
may change after the intial communication). It's really hard to say which is
the "best" policy, but if it's CC data or PII, personally I would rather hear
2 million... no wait 36 million than not hear anything for days or week while
my information is being disseminated.

------
chewit
When I go to the adobe website and try to login, it tells me that I need to
reset my password. Well that's great but it tells me this no matter what
password I enter. Last time I logged into the adobe website was probably a
year ago so I have absolutely no idea what services I need to change my
password for so I need to change them all. Thanks Adobe!

------
sparkman55
As someone who (very occasionally) needs to manipulate PSDs, are there any
alternatives to Adobe? My version of Photoshop is woefully out of date, and
I'd prefer not to pirate. I was just looking at shelling out $30 a month to
try out Photoshop CC, and then saw this!

~~~
nathos
If you're a Mac user, take a look at
[http://www.pixelmator.com](http://www.pixelmator.com) or
[http://flyingmeat.com/acorn/](http://flyingmeat.com/acorn/)

~~~
sparkman55
Thank you! For my purposes, Pixelmator is perfect!

------
taf2
I received the letter in my mail reporting my information was stolen from
Adobe... pretty scary we had to sign up for a credit check company as a
result. With the article here:
[https://news.ycombinator.com/item?id=6583103](https://news.ycombinator.com/item?id=6583103)
we decided not to go with Experian... but that didn't ease my concerns with
the other two options...

~~~
leetrout
Same here. I didn't feel their offering from Experian was great either. I just
canceled my card instead.

~~~
ahelwer
Cancelling the credit card is probably a wise course of action? I have a
subscription to creative cloud.

------
asdz
Am I the only one that feel that the numbers doesn't matter? Any website
that's been hacked it should basically consider everything has been
compromised right?

Not something like - Ohh, your account has been compromised, yours are not,
his is... etc

------
tensor
Is there a list of accounts affected somewhere?

