“Very recently, Adobe’s security team discovered sophisticated attacks on our network . . .”
That was the beginning of Adobe’s disclosure on October 3 that its network had been hacked. The story is getting worse as more details emerge.
Bad guys infiltrated Adobe’s computers and got customer names and order information, plus encrypted passwords and credit card numbers. When Adobe made its initial public disclosure, it estimated that 2.9 million people were affected, which was obviously a major disaster. As reported by Brian Krebs today, the company has revised those estimates and now believes that 38 million accounts have been compromised, a complete catastrophe.
Adobe has been forced to reset many of its users’ passwords and send out letters (like the one pictured above) offering free credit monitoring for a year. That’s a mixed blessing, because monitoring does not always prevent clever bad guys from identity theft and the company handling the free monitoring will try hard to sell continued monitoring at the end of the year. You are legally entitled to a free credit report from each of the three major credit bureaus once a year (go to http://annualcreditreport.com), so formal monitoring may not be necessary. This article has a good discussion of the pros and cons of credit monitoring.
As of today, there are no reports of any credit card fraud resulting from this breach, so it’s possible that the numbers were encrypted and the bad guys can’t use them. Encrypted credit card numbers are pretty safe. Still, there is an ominous sentence in the Adobe letter: “We believe that the third party likely removed from our systems certain customer names, payment card expiration dates, encrypted payment card numbers, and other information relating to customer orders. In addition, the third party used our systems to decrypt some card numbers.” That’s a very ugly thing to drop in there casually. How does Adobe know that? Were ten credit card numbers decrypted, or ten million?
There’s another thing that makes it even worse for Adobe.
The bad guys also got the source code for several of Adobe’s major products, including Adobe Acrobat, Adobe Reader, the ColdFusion web application platform, and Adobe Photoshop. The fear is that very smart bad guys will be able to examine the source code and discover new vulnerabilities in the products, and use those to craft more effective malware. That’s a long-term problem that could affect all of us – imagine having to be paranoid of “poisoned PDFs” just like we’re forced to be paranoid about web links in case they lead to poisoned web sites. The New York Times reported that ColdFusion is used by “the United States Senate, 75 of the Fortune 100 companies and more than 10,000 other companies worldwide.”
Hacking attacks on big businesses are common. Hacking is done by governments and competitors as well as bad guys. Adobe was forced to disclose this hacking incident after Adobe source code was discovered by Krebs on the same server used earlier this year by bad guys to store data obtained by hacking into LexisNexis, Dun & Bradstreet, and Kroll Background America. (Ironically, hackers also infiltrated the National White Collar Crime Center, which helps businesses protect computer systems.)
It’s hard to know what to do differently. Adobe keeps making mistakes but its products are at the heart of the workflow for almost every office and every creative professional. Most large companies are dealing with hacking attempts of one kind or another. (Although 38 million compromised accounts really achieves a special place in the pantheon of security screwups.) We can’t stop doing work with our computers because big companies can’t keep our data safe – and yet that’s exactly what I feel like doing sometimes.
Keep an eye on your credit history, choose strong passwords, and be careful out there.