Adobe warns 2.9 million customers of data breach after cyber-attack (Update5)
[Note: if you came to this site because you’re having trouble enrolling in Experian’s service with the Adobe activation code, jump to Update 5, below. Please do not simply post that the activation code didn’t work – tell us whether you tried Firefox if you were having problems with another browser.].
Adam Gabbatt reports that Adobe has been hacked, and 2.9 million customers are affected. The breach has been confirmed by Adobe.
Adobe said “sophisticated attacks” had been carried out “very recently”.
“Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems,” said Brad Arkin, chief security officer at Adobe.
“We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.”
Read more on The Guardian.
Brian Krebs has the backstory on this:
KrebsOnSecurity first became aware of the source code leak roughly one week ago, when this author — working in conjunction with fellow researcher Alex Holden, CISO of Hold Security LLC — discovered a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll. The hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat.
Shortly after that discovery, KrebsOnSecurity shared several screen shots of the code repositories with Adobe. Today, Adobe responded with confirmation that it has been working on an investigation into a potentially broad-ranging breach into its networks since Sept. 17, 2013.
In an interview with this publication earlier today, Adobe confirmed that the company believes that hackers accessed a source code repository sometime in mid-August 2013, after breaking into a portion of Adobe’s network that handled credit card transactions for customers.
Read more on KrebsOnSecurity.com.
Adobe has posted a Customer Security Alert, linked from its home page with an FAQ on the incident and instructions on resetting your password. Of note:
As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. Customers whose user ID and password were involved will receive an email notification from Adobe with information on how to change their password. We also recommend that customers change their passwords on any website where they may have used the same user ID and password.
We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. Customers whose credit or debit card information was involved will receive a notification letter from us with additional information on steps they can take to help protect themselves against potential misuse of personal information about them.
Update: A copy of Adobe’s customer notification letter has been uploaded to California’s breach site. The letter indicates that the unauthorized access occurred between September 11 and September 17. Those notified were offered one year of free credit monitoring and assistance from the Experian ProtectMyID Alert system.
Update 2: If you’re having problems signing up for Experian’s service, please see Adobe’s response in the Comments section below.
Update 3: Experian also responded to my tweet and tweeted that they are looking into the problems reported by some Adobe customers, below.
Update 4: Please see the note from Wiebke Lips, Sr Mgr, Corporate Communications, Adobe, below.
Update 5: Despite Adobe’s and Experian’s assurances, some people are continuing to report problems. It appears that switching to Firefox from Chrome may enable you to use Experian’s site properly, so if you’re having trouble registering for their service, try switching to Firefox.