Adobe Hacked, 2.9 Million Customer Accounts Compromised

by

Adobe today announced that hackers have managed to obtain information on approximately 2.9 million of its customers that have downloaded its software, including customer IDs, encrypted passwords, customer names, encrypted credit/debit card numbers, expiration dates, and other information on customer orders.

adobe_creative_cloud_feature
Adobe does not believe that the attackers were able to obtain decrypted credit or debit card numbers from its system, and is currently working with external partners and law enforcement to address the issue.

As a precautionary measure, Adobe is contacting users with affected accounts, initiating password resets. The company is also offering customers that had their credit or debit card information accessed the option of enrolling in a one-year complimentary credit monitoring service.

As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. We also recommend that you change your passwords on any website where you may have used the same user ID and password.

We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.

We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.

We have contacted federal law enforcement and are assisting in their investigation.

In addition to customer accounts, the hackers also accessed the source code of a number of Adobe products, but Adobe says that it is unaware of any increased risk to customers as a result of that particular attack.

Top Rated Comments

(View all)
Avatar
87 months ago
Hmmm.... I wonder if there's a business model where we can get paid again and again forever whether we fix bugs or not, and EVEN if our updates are not very useful ones. One where we're under NO pressure to make our software great, because it won't affect our income. One where we can be paid for apps we let stagnate, alongside the ones we still work on. One where our customers' own creative work is held to monthly ransom, ready for us to lock them out at any time. One where we load their machines with layers of buggy crapware and updaters. And one where we keep ALL our users' credit card numbers on file forever!

�� I think I have an idea!
Score: 21 Votes (Like | Disagree)
Avatar
87 months ago
Maybe the hackers can release a version of Adobe Acrobat that isn't full of security holes :rolleyes:
Score: 17 Votes (Like | Disagree)
Avatar
87 months ago
Yet another good reason I'm not on the cloud. Adobe: "Hey, hackers may have gotten your credit card, and we're not gonna give you any free months of CC. Keep an eye on your own credit card." Greedy bastards!
Score: 13 Votes (Like | Disagree)
Avatar
87 months ago

Silly question but. If hackers got Adobe ID's and passwords whats to keep them from changing the password ?

They got encrypted passwords, which are useless without decryption.

Specifically, the passwords are stored in a hash. What happens is you select your password and Adobe takes that password, does some math to it, then stores the resulting hash in their database somewhere, rather than storing your actual password. Then, when you enter your password to log in, it does the same math on it, and compares the result to the hash they have stored in the database. If the two hashes are the same, it knows you entered your password and it lets you in. If somebody gets the hash straight off their database, as would seem to be the case here, that doesn't help an attacker know what password to type in when they want to log in with your account, unless they can reverse engineer the hash algorithm. So, it really depends on what kind of hash algorithm they used for their database, as to how secure your password actually is.

Generally, it's a good idea to have everyone change their password anyway, just in case the algorithm eventually proves to be vulnerable to attack, or an attacker is properly motivated and willing to spend enough time to crack your password. Some hashes still in use today are considered vulnerable, though, so attackers may very well already be crunching through the hashes and getting plaintext passwords. One can hope Adobe is using a more secure hash, but plenty of big companies have used insecure algorithms in the past.

Hashes are designed not to be reversible, unlike regular encryption designed for actual decrypting at some point, but if the algorithm is known it's possible to simply use it to hash a bunch of password guesses, and then compare those guesses to the hashed passwords. Just search through the database for hashes you've made yourself, and you know the password for each of the accounts with the same password hash. It's essentially a dictionary attack, but it bypasses whatever system Adobe uses to prevent unlimited repeated invalid password entries (like locking your account after a certain number of attempts, or adding delays to the algorithm/webpage so it would take a prohibitively long time to try every possible password).

One method of preventing lookup table attacks like the above is to add a "salt" to the password before it's hashed so the result in the database isn't something the attacker can generate for a table without knowing the salt. Any old salt won't do, though. It needs to be a cryptographically-secure pseudo-random number, unique to each account, never reused when a user changes their password, and long enough that an attacker can't simply make as many tables as there are possible salts. Bear in the mind, the salt still has to be stored alongside the hash in order to authenticate a user, so an attacker knows the salt to use. But, by using a nice long pseudorandom salt for every individual password, each individual password needs a separate lookup table to brute force. Dictionary attacks are still possible if the hash algorithm and salt method is known, but take incredibly long amounts of time to crack the whole database and incredibly large amounts of storage. Against a single specific user, their password may be discovered, but only that one user, and only if they used a guessable password, and each single specific user will require a separate attack. In other words, they're still doing an ordinary dictionary attack, and the usual rules about making your passwords resistant to dictionary attacks apply. Properly salted passwords hashed with a modern secure algorithm are simply not feasible to extract from a database like this, en masse, but it's still a good idea for everyone to change their passwords. It's also a good idea to change any other passwords you have if you've made the common error of reusing passwords on multiple sites.
Score: 12 Votes (Like | Disagree)
Avatar
87 months ago

Maybe the hackers can release a version of Adobe Acrobat that isn't full of security holes :rolleyes:


Hackers are good but they aren't miracle workers.
Score: 8 Votes (Like | Disagree)
Avatar
87 months ago
Here come the "This is why subscription service sucks" posts...

Either way, bummer. :/
Score: 8 Votes (Like | Disagree)

Top Stories

Apple's First MacBook Pro With a Retina Display Will Become 'Obsolete' in 30 Days

Monday June 1, 2020 7:50 am PDT by
If you are still hanging on to a Mid 2012 model of the 15-inch MacBook Pro with a Retina display, and require a new battery or other repairs, be sure to book an appointment with a service provider as soon as possible. In an internal memo today, obtained by MacRumors, Apple has indicated that this particular MacBook Pro model will be marked as "obsolete" worldwide on June 30, 2020, just over...

Five Mac Apps Worth Checking Out - June 2020

Tuesday June 2, 2020 2:25 pm PDT by
Apps developed for the Mac often don't receive as much coverage as apps designed for iPhones and iPads, so we have a series at MacRumors that highlights interesting Mac apps that are worth taking a look at. This month's apps are designed to make working from home a little bit easier. Subscribe to the MacRumors YouTube channel for more videos. Meeter (Free) - Working from home often...

Apple Music Joins Music Industry's Blackout Tuesday Awareness Campaign

Tuesday June 2, 2020 1:31 am PDT by
Apple Music has cancelled its Beats 1 radio schedule for Blackout Tuesday and is suggesting that listeners tune in to a radio stream celebrating the best in black music. Blackout Tuesday is a campaign organized by the music industry to support Black Lives Matter after Minneapolis citizen George Floyd was killed by police in the course of his arrest. On launching Apple Music, many users...

Next Apple Pencil Could Be Released in Black

Tuesday June 2, 2020 10:25 am PDT by
The next iteration of the Apple Pencil could be available in black for the first time, according to leaker Mr. White who shared the tidbit on Twitter this morning. A mockup of an Apple Pencil in black We haven't heard rumors of a next-generation Apple Pencil and it's not clear when a new model might be released. Apple is rumored to be working on mini-LED versions of the iPad Pro, and it's...

iPad Pro With A14X Chip, 5G, and Mini-LED Display Expected in First Half of 2021

Wednesday June 3, 2020 6:22 am PDT by
Apple plans to launch new iPad Pro models with an A14X chip, 5G connectivity, and a Mini-LED display in the first or second quarter of 2021, according to the increasingly reliable Twitter account L0vetodream. The leaker claims that the new iPad Pro models will be equipped with Qualcomm's Snapdragon X55 modem, which supports both mmWave and sub-6GHz. mmWave is a set of 5G frequencies that...

Apple Releases macOS Catalina 10.15.5 Supplemental Update With Security Fix

Monday June 1, 2020 10:56 am PDT by
Apple today released a supplemental update for macOS Catalina 10.15.5, the fifth update to the macOS Catalina operating system that was released in October 2019. The supplemental update comes a week after the release of the macOS Catalina 10.15.5 update. ‌macOS Catalina‌ 10.15.5 is a free update that can be downloaded from the Mac App Store using the Update feature in the System...

Tim Cook Addresses George Floyd's Death and Ensuing Protests and Riots as Apple Temporarily Closes Some U.S. Stores

Sunday May 31, 2020 8:04 pm PDT by
Amid unrest in numerous U.S. cities following last week's killing of George Floyd by police in Minneapolis, Apple CEO Tim Cook has shared an internal memo with employees (via Bloomberg) addressing the pain that many are feeling and urging others to commit "to creating a better, more just world for everyone." Cook also announced that Apple is making donations to several groups challenging...

iCloud Down for Many Users, Causing 'The Application You Have Selected Does Not Exist' Error [Update: Fixed]

Tuesday June 2, 2020 4:44 pm PDT by
iCloud appears to be down for many people at the current time, based on complaints from MacRumors readers and Twitter users. Apple's system status page was not initially displaying an error when the problems started, but has been updated to confirm an issue with iCloud account sign ins. The support site says that some users may be unable to sign in to their iCloud accounts and may also be...

iOS 14 Again Said to Be Compatible With All iPhones Able to Run iOS 13

Monday June 1, 2020 2:08 pm PDT by
iOS 14 will be compatible with all iPhones and iPod touch models able to run iOS 13, according to information shared today by Israeli site The Verifier. The compatibility data was allegedly found in a leaked version of iOS 14 and confirmed by what The Verifier says is a "trusted source from the system development process." iOS 13 is compatible with the iPhone 6s and later, with a full...

iPhone 13 Prototype Mockup Depicts Notch-Free Design and USB-C Port

Thursday June 4, 2020 10:07 am PDT by
We still have a few months to go before Apple unveils the iPhone 12, but rumors about the iPhone 13, coming in fall 2021, are already circulating. Japanese site Mac Otakara today shared a rough 3D printed mockup of a 5.5-inch iPhone said to be coming in 2021, which is from "Alibaba sources." The model may be built on leaked specifications and rumors, but where the info comes from is unclear. ...