Adobe warns 2.9 million customers of data breach after cyber-attack (Update5)

[Note: if you came to this site because you’re having trouble enrolling in Experian’s service with the Adobe activation code, jump to Update 5, below. Please do not simply post that the activation code didn’t work – tell us whether you tried Firefox if you were having problems with another browser.].

Adam Gabbatt reports that Adobe has been hacked, and 2.9 million customers are affected. The breach has been confirmed by Adobe.

Adobe said “sophisticated attacks” had been carried out “very recently”.

“Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems,” said Brad Arkin, chief security officer at Adobe.

“We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.”

Read more on The Guardian.

Brian Krebs has the backstory on this:

KrebsOnSecurity first became aware of the source code leak roughly one week ago, when this author — working in conjunction with fellow researcher Alex Holden, CISO of Hold Security LLC — discovered a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll. The hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat.

Shortly after that discovery, KrebsOnSecurity shared several screen shots of the code repositories with Adobe. Today, Adobe responded with confirmation that it has been working on an investigation into a potentially broad-ranging breach into its networks since Sept. 17, 2013.

In an interview with this publication earlier today, Adobe confirmed that the company believes that hackers accessed a source code repository sometime in mid-August 2013, after breaking into a portion of Adobe’s network that handled credit card transactions for customers.

Read more on KrebsOnSecurity.com.

Adobe has posted a Customer Security Alert, linked from its home page with an FAQ on the incident and instructions on resetting  your password.  Of note:

As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. Customers whose user ID and password were involved will receive an email notification from Adobe with information on how to change their password. We also recommend that customers change their passwords on any website where they may have used the same user ID and password.

We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. Customers whose credit or debit card information was involved will receive a notification letter from us with additional information on steps they can take to help protect themselves against potential misuse of personal information about them.

Update: A copy of Adobe’s customer notification letter has been uploaded to California’s breach site. The letter indicates that the unauthorized access occurred between September 11 and September 17. Those notified were offered one year of free credit monitoring and assistance from the Experian ProtectMyID Alert system.

Update 2: If you’re having problems signing up for Experian’s service, please see Adobe’s response in the Comments section below.

Update 3: Experian also responded to my tweet and tweeted that they are looking into the problems reported by some Adobe customers, below.

Update 4: Please see the note from  Wiebke Lips, Sr Mgr, Corporate Communications, Adobe, below.

Update 5: Despite Adobe’s and Experian’s assurances, some people are continuing to report problems. It appears that switching to Firefox from Chrome may enable you to use Experian’s site properly, so if you’re having trouble registering for their service, try switching to Firefox.

About the author: Dissent

49 comments to “Adobe warns 2.9 million customers of data breach after cyber-attack (Update5)”

You can leave a reply or Trackback this post.
  1. margaret vallhonrfat - October 16, 2013

    I tried to go to http://www.protectmyid.com/adobe to enroll in complementary credit monitoring and unable .please help.

    • Dissent - October 16, 2013

      The site looks like it’s working fine. What problem are you having? You do have an activation code, right? If you can’t get the site to work for you, call them at 1-877-297-7780

      • Janice - October 18, 2013

        I cannot access the website either and calling the 877 number just gets a recording with no ability to reach an Experion help desk. Please see if this can be corrected, otherwise some of us cannot access the appropriate membership options, etc.

        • Dissent - October 18, 2013

          Look, folks, I’m just a breach blogger and can’t really fix this for you, but I did just tweet a message to Adobe and Experian asking them to look into this. Can’t be sure they’ll even read my tweet, but not much else I can do unless you start calling Adobe at 866-412-8699. If you do call them, let us know if it helps.

        • @AdobeCare - October 18, 2013

          Hi everyone! Please try calling (866) 578-5413 to get to Experian instead. Let us how it goes. Thanks!

          • Mary Ann - October 18, 2013

            To Adobe Care: First you failed to protect my information. Next, you sent me a letter directing me to site that doesn’t exist. Then you told me to call them instead. When I did that they could not get the “unique” activation code to work either. Now what?

      • Jeanine - November 2, 2013

        I can’t get it to work either. THE SITE IS NOT WORKING FINE. I think they are using the same IT people as Obamacare.

    • Crystal - October 18, 2013

      I tried too and the url auto-redirects to the main site and the activation code will not work. :-/

      • Stacey - October 28, 2013

        Same here

    • Jamie - October 18, 2013

      The website doesn’t work for me either. Come on Adobe – pull your finger out !!

      • Dissent - October 18, 2013

        To be fair, I’m not sure whose fault this is – Adobe’s or Experian’s. In any event, it’s clearly frustrating and the system and activation code(s) should have been fully tested before consumers were given instructions to use the system. Both Adobe and Experian have contacted me in response to my tweets about consumer frustration, and I hope they will post some update or information here.

    • ralph sobel - October 29, 2013

      can not access this site that is the one adobe wrote me

  2. Dissent - October 18, 2013

    OK folks, no response to my tweet so I just called Adobe’s Press Relations hotline to alert them to your complaints and to ask for a statement. Let’s see if they respond.

  3. Dissent - October 18, 2013

    Okay, Adobe has responded to my tweet, so hopefully they’ll look into this and post something here to help you all.

    • Wiebke Lips, Sr Mgr, Corporate Communications, Adobe - October 18, 2013

      We have contacted Experian, and there does not appear to be an issue with the website or the activation codes included in the letters we have sent to customers. If you have received a letter from Adobe with the offer to enroll in a one-year complimentary credit monitoring membership, please visit the URL and personal activation code referenced in your letter.

      Please note that the URL http://www.protectmyid.com/adobe is only accessible in the United States. The Experian call center for customers in the United States at (866) 578-5413 is staffed from 6am to 6pm PDT Mondays through Fridays and from 8am to 5pm PDT on Saturdays and Sundays.

      For customers outside of the United States: Credit monitoring memberships are not available in all countries. If you received a notification letter from Adobe because your credit or debit card information may have been involved, please visit http://www.adobe.com/go/customer_alert for more information, including Adobe Customer Care contact details for your country of residence.

      • Dissent - October 18, 2013

        Thanks for responding, Wiebke. The people who have been complaining of problems are all within the U.S. (I can see their IP addresses). So please check back here tomorrow to see if people continue report problems. I’d hate for Experian (and Adobe) to think everything’s fine if it turns out consumers still can’t get the site to work for them.

  4. Al - October 18, 2013

    Just call the 1-866-578-5413 and the rep helped me registered. She even ask me for the activation code that came from the letter. She was GREAT!

    • Dissent - October 18, 2013

      Glad to hear it! I hope they fix whatever the problem is so that people can just register/sign up without having to call them for help.

  5. Harry - October 19, 2013

    I tried so many times to get into the web site they kicked me out. Anyone here familiar with the phrase I wouldn’t use it if they gave it to me for free. Good Night America

    • Dissent - October 19, 2013

      Did you happen to try another (or second) browser? Based on what Adobe says, I’m beginning to wonder if there might be something in browser settings affecting some people but not others.

      • Art - October 20, 2013

        I have tried all evening to enroll with Experian- via my only browser, Chrome….I can get to the Experian site, but the site refuses to take the activation code provided..plus all cust svc numbers on this site are useless. While the hackers and thieves will feverishly work all weekend, Adobe nor Experian feels their lives should be disrupted to have to work this first weekend of the crisis. None of the cust svc numbers posted at this site have real human beings answering only recordings to call back on Monday- hopefully I won’t be cleaned out before a “cust svc” person can bother to return to work on Mon morning!.

        What can be done if you do not have Firefox??????????

        • Dissent - October 20, 2013

          You could try disabling any extensions or pop-up blockers (i.e., temporarily disable privacy and security settings in Chrome) and see if that works, but I’m not sure why this is happening to some Chrome users, so that might not be a solution.

          This may sound “flip,” but I’d say download and install Firefox. Or call Experian on Monday and register by phone.

          Adobe is continuing to watch the comments on this site, so they will be aware of your report here.

  6. Susan - October 19, 2013

    Dissent, You are exactly right. It is a Chrome browser issue on my Mac. I’ve retried the URL in Firefox and the Activation Code screen comes up immediately.

    • Cray74 - October 19, 2013

      I’m also a Mac user, and i can confirm that Firefox works fine, unlike chrome.

    • Jeremiah Gelles - October 21, 2013

      I use firefox and have been unable to access the site!

  7. Carl - October 19, 2013

    PC user: foxfire worked for me. Chrome and others did not.

  8. The real deal - October 20, 2013

    if ur letter has anywhere on it PO BOX Chanhassen MN 55317 then you r giving ur info to scammers – if u r unsure google the address like i did and it takes you to http://www.ripoffreport.com which sites 57 instances asscociated with this address and a company called ECMC who are scammers who use ur info – check it out before u activate anything

    • Dissent - October 20, 2013

      Are you suggesting/reporting that some people are getting letters purporting to be from Adobe that are not from Adobe? Or is this a general warning that has nothing to do with the Adobe breach?

      • The real deal - October 22, 2013

        i made some kinda of mistake in my research but i don’t think i have and if it is concidence well, crap happens

    • Wiebke Lips, Sr Mgr, Corporate Communications, Adobe - October 21, 2013

      Please note that the “PO Box 483, Chanhassen, MN 55317, USA” return address is the legitimate return address on the customer notification letters sent by Adobe for the incident announced on October 3. This PO Box address is owned and managed by the vendor handling the mailing of and returns for these letters on behalf of Adobe.

      • Dissent - October 21, 2013

        Thanks, Wiebke. This is a good example of how rumors can spread and can needlessly cause alarm. It’s always best for consumers who have any questions to go straight to the horse’s mouth to verify legitimacy.

        • The real deal - October 22, 2013

          this is true but this is all digital so wheres ur proof of who you are talking to at ‘Adobe’ ?

          • Dissent - October 22, 2013

            Because Wiebke Lips was the one from Adobe who contacted me in response to my voicemail. Ms. Lips has also exchanged emails with me about the problems, and all email to/from her has used an adobe.com email address and IP.

  9. Ofelia Garcia - October 21, 2013

    Hello all,
    How about Puerto Rico? A US Commonwealth, all American Citizens and from where we pay, in American dollars all services, including our memberships, etc., etc.
    I cannot access any of the numbers listed. Tell me what to do, please. Also, should my ID be stolen, who would be responsible?
    Please advise.
    Thank!

    • Wiebke Lips, Sr Mgr, Corporate Communications, Adobe - October 21, 2013

      Hi Ofelia,

      We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. If your credit or debit card information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you.

      In terms of Adobe IDs and passwords, we have reset all passwords for Adobe IDs we believe to be involved and are in the process of sending email notifications to customers. Customers who have not yet received a notification but wish to proactively change their password on any Adobe service may visit the login page for their respective service to initiate the password change.

      Additionally, you will find additional information, including contact details in the event you have questions, on our Customer Support page at http://www.adobe.com/go/customer_alert.

      Hope this helps!

  10. Robert Dillon - October 21, 2013

    Following your instructions I joined? Firefox and got all signed up.
    Why put me to the misery of getting another browser? Couldn’t someone used the system at their homestead to see whether the instructions worked.

    • Dissent - October 21, 2013

      From my correspondence with Adobe’s Corporate Communications, I can tell you that they personally tried it with Chrome, but it worked for them, so they were surprised at the problems people have reported here. I’m guessing that it’s some extension or setting that’s creating problems for a subset of Chrome users. In other breaches, I’ve occasionally seen comments on this blog about people having trouble signing up for Experian’s service. I think maybe Experian needs to check into this more and either fix something in their code or post instructions on their sign-up page to help people use their site. Note that Adobe has been very active/involved in this post and thread, while Experian has not showed up at all even though they did tweet to me in response to my request for their help for commenters here.

  11. Joseph Galon - October 21, 2013

    I had trouble with Firefox, but Safari worked for activation code

  12. Bruce Green - October 22, 2013

    Please notify me when you solve this problem. I cannot connect with http://www.protectmyid.com/adpbe.

    • Dissent - October 22, 2013

      Did you try Firefox? The problem is not with Adobe but with Experian’s site. If you can’t connect via Firefox or any browser, you need to call them. It would be nice if they showed up here in this thread to respond to all the complaints and/or to post something on their sign-up page to help people.

  13. Anonymous - October 23, 2013

    the code did not work for me either.

    • Dissent - October 23, 2013

      Did you try Firefox?

  14. maia - October 23, 2013

    i just got the letter today… and i’m a bit wary/suspicious of why they’d recommend a specific ‘protection’ company… does adobe have a stake in experian?

    and does experian’s ProtectMyID Alert membership actually protect your financial/personal info from being hacked, or just deal with it after it happens?

  15. Frustrated - October 25, 2013

    I tired and the code did not work as well. When I called the number, the gentleman asked if I was trying to sign up for the Health Insurance Market Place….

    Sorry, not giving that guy my SS number.

    • Dee Dee - October 29, 2013

      Had nightmare with my Health Insurance Exchange- appears they are all using Experian to verify applicants! Well, guess what? Can’t because of the security lock down! So now I have spent 2 days with my health insurance exchange trying to explain to them that they are going to have to “verify” me some other way as I am not releasing my id lock since this Adobe breach!

      FYI, also couldn’t use activation code. Simple solution via experian’s help: Use IE (I was using google chrome) and use the site http://www.protectmyid.com/redeem instead of /adobe! Worked perfectly…now if only my state government’s healthcare website were so efficient…

  16. RW - October 27, 2013

    Why would any legit site request such personal information?

  17. LJ - October 29, 2013

    Just tried to signup with Safari on MacOS but could not do so…this has been a doubly negative customer experience with Adobe: first the data breach; then the pain in the neck ‘free’ offer that is too difficult to use (and looks like a phony come-on). Plus the Experian service costs $15.95/mo. once the free year ends…who wants that monthly charge, because of Adobe’s carelessness?

    Adobe could have automatically taken care of it for everyone all by themselves, buying everyone the membership. But they didn’t.

    Now I’m doubly mad at Adobe–once, for not taking care of my data; and twice, for wasting my time.

    Into the circular file with the Adobe mailer. I’ll think twice before buying another Adobe product until this has bee fully resolved.

    PS, bad customer relations to send out mailings with a P.O.Box instead of a street address, looks suspicious, imho.

    • Dissent - October 29, 2013

      Um… how can Adobe sign up anyone for Experian’s service when they don’t have the necessary details/info on customers (such as SSN) to enroll people?

      Personally, I’d be mad as hell if a company signed me up for any service without my authorization.

      I do think they need to get on Experian’s case to make the online signup process easier for people, though.

  18. mk - November 1, 2013

    chrome did not work for me either but internet explorer did work fine

Comments are closed.