Adobe Hacked, 2.9 Million Customer Accounts Compromised

[Liquidstate]

Adobe Hacked, 2.9 Million Customer Accounts

I think the main issue here is Adobe's misguided decision to move to a completely subscription-based business model.

Even the big international banks don’t attempt to administer a global system that includes continually authenticating large software apps on insecure users’ consumer machines through the consumer web.

I run authenticated PSD6, and fortunately I haven't received that letter. But I suspected this sort of thing. Functional paranoid that I am, I bought my PSD6 in a box from The Apple Store just before the subscription gate slammed shut. So at least it was possible to get it, with no issues, directly from Apple.

Bottom line for me was, I trust Apple a whole lot more than I trust Adobe.

Now the question is, is Adobe going to LEARN from this and stop this draconian subscription-only nonsense?

We’ll see.

 

[RedWeasel]

"Unaware" you say? "Source code" you say?

Considering that flash and reader have been the victim of so many security vulnerabilities, I expect to see something come up in the near future. How horrible.

Well, if Adobe developers are not able to find the holes in the own code, why should external developers be able to?

 

[samcraig]

Only you would blindly come to Adobe's defense in light of a breach like this.

Sarcasm? I can't figure out how you would think I was siding with Adobe on this from my post. At all.

 

[Zellio]

I'm surprised.

 

[ValSalva]

So ironic. CC stand both for "Creative Cloud" and "Credit Card".

Makes sense because to buy Adobe CC they need your CC. Well, rent, actually

 

[kazmac]

damn...

this is exactly why I want a physical copy of the application(s) on my computer. No cloud computing for me.

I will stick with Pixelmator and other cheaper, safer alternatives when it comes to the light design work I do.

Adobe need to make this right asap, I hope everyone in this forum who got those emails will be okay.

 

[m00min]

Have to admit reading about this this morning made me chuckle a bit. Let's be honest, who didn't see this coming?

 

[typeadam]

I rely on Illustrator and Photoshop heavily but CS5 was the last suite I purchased. I wanted to avoid CC as long as possible and now I'm glad I did. Maybe if they tighten up and straighten out their system and allow me to have a physical copy of my software then I'll upgrade. Until then, I'll stick w/ CS5.

 

[Oracle1729]

So force all your commercial customers onto a subscription plan and then let hackers get all their personal information. Sounds like a fantastic business plan.

Thanks to their run-up in stock price, I lost my shares to an option assignment late last month so I felt kind of bad. Now I'm just sitting here laughing as I watch them plunge below my sell price.

 

[ljdonato]

Received email, but account still works?

Hi all
Has anyone experienced this?

I received the email most are receiving by now. The email clearly states that my password has been reset. And to go to adobe.com to change the password.

Instead of clicking the email link, I went directly to adobe.com and entered my current account info, and I was able to sign in!

If they have reset my password (the email is marked 8 hours ago- 2am), how come I can still enter with that same password? The email seems legit and the headers look correct, etc...

Anybody else care to try?
Thanks and take care.

 

[NY Guitarist]

As a long time Adobe CS Master Collection user I refuse to buy into the 'cloud' subscription paradigm.

 

[OneMike]

More reasons why I never use the same password on more multiple sites, and refuse to store my CC info anywhere amongst other security precautions.

 

[Suzisque]

They have your bank account info

After the hack, I saw some weird $1.00 charges showing up in my bank account from Adobe. Talked to adobe and they new nothing about them. Had to get my bank account stuff all changed. Watch out! The hackers got it all. Doesn't take em long to decrypt anything.

Be nice to go back to good ol hard copy install disks, but I'm sorta screwed with the adobe stuff as I do graphics for a living. Yeah, I'm sure there are a lot of unhappy Adobe customers out there that don't like the SAAS model. ; (

Think I'm going to start using opensource graphics stuff.

What a friggin bummer.

 

[jacquesrk]

I don't know if Adobe does it or not, but many accounts I have send out an email w/a link I have to click in order to verify the password change.

As I described in post #22, Adobe doesn't store passwords in plaintext, but uses a hash. At least, that's the impression I get from the article, which is probably accurate. What it comes down to, really, is how good the hashing algorithm is, and what kind of salts they use, if any. The hacker or hackers here have a database full of hashed passwords, which doesn't tell them what your password actually is. They still have to guess what your password is, before they can use it, before they could ever change it. People still would be advised to change their passwords, because it's still possible to run a dictionary attack for any given password, though hopefully not all of them in the whole database at once.

One important thing to remember is that many online accounts have a "forgot your password?" link that allows you to create a new password. The site will send you an e-mail including another linkbthat you click on to reset your password (and doing this doesn't require the knowledge of the old password). Which means that, if someone has your e-mail password, they can reset the password to, and then access, many of your online accounts. Your e-mail password is your most important password.

 

[3282868]

Karma, it's a *****

 

[locust76]

Silly question but. If hackers got Adobe ID's and passwords whats to keep them from changing the password ?

The passwords were encrypted.

 

[koban4max]

Unless you live off the grid in the woods and keep whatever money you have under the mattress your personal and financial info is on servers connected to the Internet and thus are susceptible to getting hacked.

i think there is thing called, "encrypted?"

 

[LethalWolfe]

i think there is thing called, "encrypted?"

Not all encryption is created equally and encryption doesn't protect your data from people that already have the keys (i.e. employees that aren't supposed to look at private data but do anyway).

I can't find the link but Ars ran a really good story a few months ago about the shocking sad state of encryption (old & already broken) that many 3rd parties use to keep user data 'safe'.

 

[rhett7660]

Maybe the hackers can release a version of Adobe Acrobat that isn't full of security holes

We can dream can't we.

This just sucks for Adobe and their customers.

 

[phrehdd]

There is absolutely no reason an outside entity should be able to get sensitive data of this sort. There are so many ways to store encrypted information and tiers for decryption as well as tools to notify of unusual lists/reads of information.

The best thing that could happen is that all those notified by Adobe (and Adobe did send a notification out) go and file a class action suit.

If the data was taken by someone inside the company or aided by such that too could have been found out as fast as it was happening. This type of data store need not have existed as something so easy to steal.

Sorry if I appear to rant but having worked for a major company that did take precautions it irks me to see a company like Adobe be so lackluster in their own security of customer (sensitive data) information. Shame on Adobe.

 

[ValSalva]

I just received my first spam ostensibly from Adobe asking for me to reset my password. The obvious tip offs were that there was no explanation as to why and a direct link to do the reset. I also don't have an Adobe account at that address. It didn't take spammers long

 

[schaibaa]

As I described in post #22, Adobe doesn't store passwords in plaintext, but uses a hash. At least, that's the impression I get from the article, which is probably accurate. What it comes down to, really, is how good the hashing algorithm is, and what kind of salts they use, if any. The hacker or hackers here have a database full of hashed passwords, which doesn't tell them what your password actually is. They still have to guess what your password is, before they can use it, before they could ever change it. People still would be advised to change their passwords, because it's still possible to run a dictionary attack for any given password, though hopefully not all of them in the whole database at once.

While this is true, it's quite possible to brute force passwords with a list of top {x} number of common passwords. At least 5-10% of people will use these common passwords.

So if you use an NFL team for your password, or something else like that - chances are you have it coming

 

[pmxperience]

That moment when all of your adobe products are pirated.
- (dodged that bullet)

…Still got the email though.

 

[dazed]

This makes me want to cancel my subscription but if I do them I have to pay 50% of what's left (10 months).

****** situation.

 

[Miguel Cunha]

Here come the "This is why subscription service sucks" posts...

Either way, bummer. :/

Figures... That's why I won't go beyond CS6.
I think Adobe is starting to see what's coming for them.

I received a rather intersting survey, about Premiere Pro.
What stroke me the most, were comparison questions whether buying it through the Creative Cloud service (not at all, for me ), or standalone perpetual license (definitely ).

I hope they return to perpetual licenses in all their products.