Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Crime

Adobe Hacked: Almost 3 Million Accounts Compromised 256

sl4shd0rk writes "Adobe Systems Inc. is expected to announce today that hackers broke into its network and stole source code for an as-yet undetermined number of software titles, including its ColdFusion Web application platform, and possibly its Acrobat family of products. The company said hackers also accessed nearly three million customer credit card records, and stole login data for an undetermined number of Adobe user accounts."
This discussion has been archived. No new comments can be posted.

Adobe Hacked: Almost 3 Million Accounts Compromised

Comments Filter:
  • by hawks5999 ( 588198 ) on Thursday October 03, 2013 @05:30PM (#45030681)
    It's too risky to give your credit card number to a company like Adobe.
    • Re: (Score:2, Informative)

      by Ksevio ( 865461 )
      In related news, it turns out Adobe will give you some sort of software if you give them a credit card number. What a crazy business model!
    • Seconded (Score:3, Funny)

      by themushroom ( 197365 )

      This makes me happy to have p1r4t3d versions of CS5 and CS6.
      Adobe doesn't know my details and neither do the hackers, easy peasie lemon squeezie.

    • by amicusNYCL ( 1538833 ) on Thursday October 03, 2013 @05:55PM (#45030905)

      You choose to not pay for the software that you prefer to use because you don't want to give your credit card number to Adobe? After which episode that Adobe had credit card records stolen from it did you make that decision? How long ago was that? How many times has Adobe been attacked and had customer credit card information stolen? You're sure that's not just a lame justification for not wanting to pay for the software that you prefer to use?

      • by themushroom ( 197365 ) on Thursday October 03, 2013 @06:13PM (#45031063) Homepage

        Buying a piece of software from a vendor: Adobe doesn't have your details.
        Paying on a monthly basis to a software company: Adobe has your details.

        Your point about the inability to see the future is intact. However, it doesn't discount being able to predict the potential future based on math and science.

        • Still not seeing the part where software piracy is justified.

        • by MachineShedFred ( 621896 ) on Friday October 04, 2013 @08:37AM (#45034913) Journal

          I'll take this one further:

          Buying a piece of software from a vendor: Adobe doesn't have your details.
          Paying on a monthly basis to a software company: Adobe has your details.
          Software vendor not named Microsoft most responsible for exploits and attacks in the last 10 years: Adobe Systems

          If they can't even keep something like Acrobat Reader secure, how the hell does anyone trust them with credit card information? The long road that has been "software activation" led us to this place.

      • You choose to not pay for the software that you prefer to use because you don't want to give your credit card number to Adobe? After which episode that Adobe had credit card records stolen from it did you make that decision? How long ago was that? How many times has Adobe been attacked and had customer credit card information stolen? You're sure that's not just a lame justification for not wanting to pay for the software that you prefer to use?

        Shhh! I can't hear anything for all the whooshing around here!

      • After which episode that Adobe had credit card records stolen from it did you make that decision?

        Adobe may or may have had one before.

        But there are enough other companies that have, that it's easy to make a rational choice based on the probability that it will happen to a company like Adobe, based on what has happened to companies at large that attract large bases of credit card numbers - especially as Adobe has recently moving to a subscription based service where they have presumably got a lot more credit

    • by rtb61 ( 674572 ) on Thursday October 03, 2013 @08:47PM (#45032045) Homepage

      Especially when the break in was prior to the 17th of September and they didn't notify customer until another customer noticed Adobe source code floating around the internet October the 13th. It would seem if an outside company had not discovered the evidence of the breach Adobes customers would never have been warned that their log in details and credit card details had been stolen. Oh but the credit card details still maybe might secure because they were encrypted and those that could hack the system (likely ex-insiders and outsourcers) maybe might not have passwords for the encryption even though they had passwords for everything else.

      It seems like Adobe needs to be answering some very serious question in a court of law as to why that information was withheld from customers for so long.

  • by James Sarvey ( 3348883 ) on Thursday October 03, 2013 @05:31PM (#45030687)
    ...to a nicer company. I feel bad for their customers, but I'm hoping this kind of breach pushes people to insist that their sensitive data isn't stored when it isn't absolutely necessary.
    • Re: (Score:3, Interesting)

      Why do they need to store it use it lose it credit card companies need to insist as it is them who foot the bill when it is used. I will not lose the number it is on my card you have no need to store it. Storing it should be conspiracy to steal it and use it.
      • by Anonymous Coward on Thursday October 03, 2013 @05:51PM (#45030859)

        Adobe have been pushing software rental for the last couple of years. This involves recurrent payments. Recurrent payments require the vendor to store credit card details, or outsource the payment processing to a third party who stores the details.

        Either way, if you're renting software your credit card details are being stored.

    • TBH it seems like I am getting an email every week now of some site or company having their records hacked and telling me to change my passwords.

  • good thing (Score:4, Insightful)

    by Anonymous Coward on Thursday October 03, 2013 @05:33PM (#45030707)

    you can still buy offline standalone applications from adobe.... oh, wait.

  • Interesting Quote (Score:5, Insightful)

    by BenSchuarmer ( 922752 ) on Thursday October 03, 2013 @05:33PM (#45030713)

    However, as far as the source code is concerned, Adobe assured that there is no "increased risk to customers as a result of this incident."

    In other words, the risk is as bad as ever.

    • by gmuslera ( 3436 )
      Worse. The source code included the required NSA backdoor. Now requiring to insert backdoors to manufacturers will lead to the logical consequence
      • Re:Interesting Quote (Score:5, Interesting)

        by causality ( 777677 ) on Thursday October 03, 2013 @07:33PM (#45031665)

        Worse. The source code included the required NSA backdoor. Now requiring to insert backdoors to manufacturers will lead to the logical consequence

        We live in a society that, as Bill Hicks noted, is at about an eighth-grade emotional level collectively (he was being generous). Few people acknowledge the logical consequence, and seem to believe it magically goes away if they really, badly, truly wish hard enough or get upset enough.

        I suspect the government understands the situation, however. Malicious attackers and other criminals exploiting mandatory backdoors only provides an excuse for more laws regulating the Internet and expanding executive powers. To protect you from those evil hackers, of course. If nothing else, the NSA gets their little back-door so they can more easily betray their own countrymen in the name of safety; if that goes wrong in the worst possible way, then: bonus! For the evil men who love power and know no loyalty, it's a win-win. Sadly.

        • by gmuslera ( 3436 )
          More laws regulating the internet to empower the NSA efforts will lead to countries (not just Brazil) leaving internet, or setting walled gardens, you can get out (by approved and monitored paths), you can use what is inside, but people from outside can't get in, and maybe the use of commercial US software could have some penalization (less access/tighly controlled). Is not a win-win, is an all-lose scenario but with someone yelling that we won.
        • by AHuxley ( 892839 )
          Yes, recall the printing efforts:
          Secret Code in Color Printers Lets Government Track You
          https://www.eff.org/press/archives/2005/10/16 [eff.org]
          Makes you wonder what a digital file could hold or have blurring reversible :)
    • by fuzzyfuzzyfungus ( 1223518 ) on Thursday October 03, 2013 @06:08PM (#45031007) Journal

      However, as far as the source code is concerned, Adobe assured that there is no "increased risk to customers as a result of this incident."

      In other words, the risk is as bad as ever.

      I'm not sure why Adobe is being so pessimistic. This might be the first time in years that anybody who could find their own ass with both hands and a map, much less do code security, has examined the source code involved...

  • by Statecraftsman ( 718862 ) on Thursday October 03, 2013 @05:38PM (#45030753)
    What are the odds this attack didn't involve a pdf exploit?
  • Is anyone surprised that a company that is already battered by a poor security reputation would be compromised in this way?

    That they are doing their own billing isn't surprising considering their size, but not a place I'd put a personal card number.

    • Sorry for those whose accounts were compromised. But speaking as a FOSS user, I see this as karma for all those times that Adobe made Linux look bad because Adobe Crash (aka Flash) ran worse under that OS than under MS Windows. Which isn't to say that it actually ran well under Windows, just that it ran worse under Linux and had 2x the system requirements. I even remember some Adobe engineer blaming the poor support for Linux on its fucktitude of audio (Alsa, OSS, Pulse, etc) and video system software when

  • I, for one... (Score:5, Interesting)

    by msauve ( 701917 ) on Thursday October 03, 2013 @05:48PM (#45030833)
    ...can't wait until the hackers fork their code, and create something stable and less buggy from it. It will obviously take lots of work, but if they have the skills to hack in, they're up to the challenge.
    • by bmo ( 77928 )

      and create something stable and less buggy from it

      Wishful thinking requiring LSD and shrooms at the same time.

      Their code base for Photoshop, for example, goes back to the mid-80s. The amount of crunchy crusty cruft probably makes "cleaning it up and making it less buggy" impossible.

      And if the rant from the guy who maintained the Linux fork of Flash Player, a few years ago, is any indication, anything related to Flash is spaghetti-coded.

      So I'm not gonna hold my breath.

      --
      BMO

      • by msauve ( 701917 )
        Well, they could rewrite it in Visual BASIC. It couldn't make it any worse.
        • by bmo ( 77928 )

          I think rewriting it in any language, including TECO and brainfuck might improve things.

          Emacs was once a bunch of TECO macros. Which explains a lot about both RMS and emacs itself.

          --
          BMO

  • I bet they used Flash to get in: since Adobe seems to be pushing Flash updates about every 10 minutes lately, it's evidently got some major security problems.

    • I bet they used Flash to get in: since Adobe seems to be pushing Flash updates about every 10 minutes lately, it's evidently got some major security problems.

      It's just yet another proof (as though more were needed) that security isn't something you can bolt-on after the fact. It would probably have required of them less effort to have done a rewrite from scratch, designed from the beginning with security in mind, than to have issued so very many patches and updates throughout the years.

      Do they never consider that? Or I suppose it doesn't matter until something really embarassing like this happens?

      • Bolt on after the fact?

        Flash has had so many patches that, if it were an actual physical thing, it would be composed entirely of welds and rivets.

        • Bolt on after the fact?

          Flash has had so many patches that, if it were an actual physical thing, it would be composed entirely of welds and rivets.

          It would be like Grey Goo, only produced without nanotechnology.

        • Don't forget the duct tape.
  • by Dunbal ( 464142 ) * on Thursday October 03, 2013 @05:53PM (#45030889)

    According to TFA :"no "increased risk to customers as a result of this incident."

    Considering that Adobe products are an endless stream of security vulnerabilities and zero days, I would say this is a fair statement. You have the same risk as you had before, when you allow their products onto your machines. As for the credit card data - shame on them. Why was that even on the same network?

  • No cloud for you! (Score:5, Insightful)

    by onyxruby ( 118189 ) <onyxruby@ c o m c a s t . net> on Thursday October 03, 2013 @05:54PM (#45030895)

    Adobe must be the one company in the world to have a worse track record at security than Microsoft, Oracle or Mozilla. They have ignored industry best practices and been a thorn in the side of the rest of the industry for years while being oblivious to the damage their customers have suffered from their shoddy practices.

    This is the same company that wants you to rely on their security as the only way to their products now that they only rent a cloud based versions of Acrobat Suite. Incidents like this are inevitable and people need to learn that their is nothing magical about the 'cloud'. Companies that have cloud dependencies for the use of their products necessarily expose all of their customers when they get cracked.

    Do you trust Adobe with your security? Do you really think a company with their track record is going to get their act together?

    • by Voyager529 ( 1363959 ) <voyager529@yahoo. c o m> on Thursday October 03, 2013 @06:17PM (#45031111)

      Adobe must be the one company in the world to have a worse track record at security than Microsoft, Oracle or Mozilla.

      ...Sony?

    • Re:No cloud for you! (Score:5, Interesting)

      by Tom ( 822 ) on Thursday October 03, 2013 @06:21PM (#45031133) Homepage Journal

      This is the same company that wants you to rely on their security as the only way to their products now that they only rent a cloud based versions of Acrobat Suite.

      This.

      I was actually on the verge of buying some of their stuff just a week ago. Decided against it when I found out they don't sell standalone versions anymore.

    • Adobe != security (Score:5, Interesting)

      by oneiros27 ( 46144 ) on Thursday October 03, 2013 @07:52PM (#45031791) Homepage

      Adobe must be the one company in the world to have a worse track record at security than Microsoft, Oracle or Mozilla.

      At my work, they require us to take annual security training ... and this year, I flat out refused to take it from any of my systems ... because I had to install flash & turn on java in my web browser. I had to go to the 'training center' to take it from one of the machines there.

      ... not a week later, the first of the 2013 Flash vulnerabilities was announced ... then a couple of weeks later, another one ... then the Java one ...

      Then I was told that I had to take the 'advanced security' training ... what was the recommendation? to turn off flash & java in your web browser.

      ah, the irony.

      • If your 'advanced' training is to disable Flash and Java, well, good luck at your company. Apparently the Peter Principle is alive and well there.
  • It is not like this hasn't been reported at least weekly for years for various companies.

    What the hell are major companies thinking?

  • by PerlPunk ( 548551 ) on Thursday October 03, 2013 @05:58PM (#45030933) Homepage Journal

    This is big news. Expect untold exploits for the Adobe technology stack to emerge out of this. If someone or some group is determined to run Adobe into the ground, they are off to a good start.

    • by tech.kyle ( 2800087 ) on Thursday October 03, 2013 @06:13PM (#45031071)

      Expect untold exploits for the Adobe technology stack to emerge out of this.

      This. This is why people should be concerned. Open source programs have their code exposed to everyone, including those with malicious intent, and are therefor "battle hardened" for security. Closed source programs live a sheltered life and having that source suddenly available means those with malicious intent can use Adobe's relatively weak source code to develop new exploits for clients. Lots of them.

      Adobe is a household name that users couldn't get rid of if they wanted to. Flash, for example, is on nearly every internet-connected PC. This is a problem for everyone.

  • ............

    CLOUUUUUUUUUD!

    welp, guess it's time to get my CC changed.

  • by kav2k ( 1545689 ) on Thursday October 03, 2013 @06:50PM (#45031367)

    So, let me recap.
    Adobe just lost the source code to one of the most exposed attack surfaces known for vulnerabilities?
    That'll be one hell of a peer review.

    • by mengel ( 13619 )
      Yes, I mean they stole the source code to Cold Fusion?!? That's kind of like breaking into Ford automotive and stealing the blueprints for the Pinto...
  • Thank God I've never actually purchased any Adobe products. Phew, that was a close one.

  • A responsible company that size should be releasing several thousand fake corporate client lists per day. If every company did its civil duty and released thousands of fake client lists, the identity thieves would never be able to find a needle in a haystack. Nature adapts camouflage, not invisibility.
  • Really, given the complete failure to secure well... any of their desktop software, is there any surprise?
  • They discovered they were hacked on thursday. Any idea when the breach occurred?
  • I am so pissed off about Adobe's business model that I may never buy an Adobe product ever again.

    That company can go to hell.

  • by slonik ( 108174 ) on Thursday October 03, 2013 @10:39PM (#45032615)
    Citibank offers "Virtual Credit Cards" that are generated for you on demand. Each card is valid for one merchant only (the first transaction locks the merchant), has configurable expiration date and maximum amount limit. Even if stolen such virtual cards are of little use to the bad guys.
  • Adobe: You'll shit a brick!

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...