Adobe admits 2.9M customer accounts have been compromised

Adobe admits 2.9M customer accounts have been compromised

Summary: Unfortunately, the attack on Adobe also compromised customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.


Adobe announced on Thursday that it has been the target of a major security breach in which sensitive and personal data about millions of its customers have been put at risk.

Brad Arkin, senior director of security for Adobe products and services, explained in a blog post that the attack concerns both customer information and illegal access to source codes for "numerous Adobe products."

A few examples include Adobe Acrobat, ColdFusion, and the ColdFusion Builder. However, as far as the source code is concerned, Adobe assured that there is no "increased risk to customers as a result of this incident."

Adobe officials added that the investigation has not turned up any zero-day attacks either.

Unfortunately, the culprits have obtained access to a large swath of Adobe customer IDs and encrypted passwords.

Arkin specified that removed sensitive information (i.e. names, encrypted credit or debit card numbers, expiration dates, etc.) about approximately 2.9 million Adobe customers.

He added that investigators don't "believe the attackers removed decrypted credit or debit card numbers" from Adobe's systems.

While federal law officials are involved, Adobe stressed that there are some precautions that customers need to take action on now.

Adobe is resetting the passwords on breached Adobe customer IDs, and users will receive an email if they are affected. The software giant is also currently notifying customers whose credit or debit card information was exposed.

Adobe has also promised to offer these customers with the option of enrolling in a one-year complimentary credit monitoring membership where available.

Topics: Security, Cloud, Enterprise Software, Privacy, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This is exactly why

    all of my files, data and personal information will not be "on the Cloud." Will I ever be totally safe keeping it in my firewall perimeter? No. Indeed not.

    But my separate data will require a separate attack. It won't be skimmed off a server along with several million other folk's data. I expect that this will hit the Creative Cloud folks much more than those that forewent subscriptions and purchased durable licenses, like I did.
    • Unless you are the unabomber

      You are on the cloud already. Do you have a credit card? Do you shop at any major retail store? Do you have a bank account? Do you have identification documents? Do you work above the table?

      If you answered yes to any of these questions, you are on the cloud.
      • You won't find

        any of my tax or accounting information stored in a cloud file server. Neither will you find my invoices or billing information. As for my IP and designs, images, of videos, none of that is on the cloud.

        Further, you will never see me using a smart phone or tablet or anything running iOS or Droid to access online merchants. You will never see me using a free WiFi hotspot ever.

        I trust my bank to keep my money out of some criminals hands; that is unless you count the bank it self.
        • Unavoidable

          Strange thing to say, "never see me using a smart phone or tablet... to access online merchants" -- doing so via a web browser on a device running iOS is no more vulnerable than a device running MacOS. How small or mobile the device is doesn't matter and you may even be using the same network connection for both.

          As for avoiding cloud services, that hardly protects you from having your credit card, billing information, invoices, health records, or whatever compromised. That risk has to do with how vulnerable the data servers are of a company you do business with, regardless of whether you use cloud services or even do online shopping to deal with them.
          • Flawed Logic

            I agree that being on the cloud is very difficult in this day and age, but surely you guys can see that the more you are out there, the more risk you have. I'm not saying not to sign up for Adobe, but you must respect one's desires to minimize the amount they are on the cloud. Its ridiculous to think that just because you have a bank that is online, you should just automatically give in and accept all of your transactions be online. Its like saying because you leave your car doors unlocked, you should just unlock your house as well.
          • Talk about flawed logic.

            Doing something in the cloud is in no way more or less risky than any other activity that you might do in person. As Christopher has said, there is no way around it.

            The fact is going to a local restaurant and using your credit/debit card there is far more likely result in a breach of your card, than an online merchant. Unless you are standing over the wait staff as they run your card, they can be in the back writing down your information to use later online, including the CVV code.

            Also, when they authorize your card, it takes the same trip to some server somewhere for processing. Like Christopher said, unless you get paid in cash, deal in cash, and store your cash in a mattress, then your data is only as safe as the measures standing between the merchant/bank that holds that data and the hacker that is trying to steal.

            If you are concerned about security on the web, and there fore will not shop online, well that is your choice, but let's not live in fairy land where one is better than the other.

            The fact is, if you can logon and access your bank account, and if a merchant can transmit credit processing and payroll online, then it is possible, however unlikely that your information will be stolen this way.

            SO is it wise to limit attack vectors? Yes. But each merchant you go to is yet one more vector, Physical or virtual. And when shopping online, create a unique password for every merchant you go to, and keep a password safe that can track all of those passwords. If every site you go on is the same password that you use for everything, then if that password is ever compromised, then every account that uses it will be compromised.
        • Banks on the cloud

          I find that every banking services vendor (software banks use) out there is preaching cloud. Some don't even offer a completely in-house solution any longer. It's frustrating in that we can no longer manage our own risk as closely as we would like. The cloud services vendor won't take the reputation downfall after a breach but the bank most certainly will.

          Cloud has its place. Critical private information is not that place. Keep it in-house people.
          Tell your software vendors to pump sand and get back to creating real products and services.
        • How is prison?

      • Give up?

        Are you implying we all just give up any expectation of privacy or security?

        Like just about everything, the cloud comes with risks (unacceptable risks, IMHO). Be aware of them and make your own choice.
      • Encryption

        Crashplan is backup software that encrypts data locally before sending it to their servers. You have the option of specifying your own 448 bit encryption key. That key is not stored anywhere in Crashplan and you have to provide it for restore. I think the goal is encrypt data in such a way that it is only accessible by the owner.
      • Not the point.

        I guess you think perhaps you might be delivering some shocking news that people who made purchases or do banking online for example have a cloud presence already.

        I would hope that anyone who frequents these pages are already well aware of that. And that's not the point about concerns of cloud computing.

        The concern is that there is plenty enough information about each of us out there floating around in the cloud already. The notion that we might be prepared to upload every, or most of our digital lives to some online service is the final straw that most rational people don't want to get into. At least not be pushed into. The problem as many people are now beginning to foresee it is that it appears that the IT powers that be would like to see in some not too distant future where our giant sized terabyte+ sized HD's disappeared and we paid them fees to store all that is digital in our lives.

        People are not necessarily saying they don't want ANYTHING to do with the cloud, but what they do want is control and value and security.

        People don't want all their data and content just being part of some easily identified conglomerate of data that looks a lot like a ripe juicy target for hackers.

        People don't want to have to pay to store all their data somewhere off their own property when a one time purchase of their own oversized HD will do the trick, and it leaves their data off and way from massive juicy looking targets. For a few bucks more, HD enclosures can be purchased and that HD can be an outboard HD that can be tucked into a suitecase and be taken on a trip and end up being plugged into any computer and be accessed to show huge amounts of content, so long as there is electricity and even if there is NO internet connection.

        People don't want to be at ANY risk of loosing contact with their own data just because there is an internet outage...for any reason, of any kind.

        When you open a bank account and do online banking the bank dosnt charge you some kind of fee for your online banking as opposed to doing it in person.

        When you do some online shopping its not like the company your dealing with charges you some kind of online service premium for making the purchase online as opposed to doing it in person.

        What much of the public is now waking up to is that its pretty difficult to conceive of an online data storage service holding a terabyte or more of your data indefinitely for free, without ads. Without selling information about the kinds of things you have stored with them. Just pretty hard to imagine.

        And then there is the security issue. There is a difference between some company that's holding your banking information and some company that's holding all your strictly personal data life family photos, maybe a transcript of that book your working on. Perhaps even other irreplaceable digitized things. The company that allows thieves to break into their servers and steal banking data is a situation that can often be handled when one is properly notified, its a situation where if you end up being out money you may very likely have a way to comeback on that company for restitution of that money due to their lax security.

        If your personal data is in a digital warehouse online that gets broken into by hackers, if they have mischief on their minds it may simply be destruction and corruption of data that might be the result and then you could have "x" number of hundreds of personal photos and documents permanently unretrievable. Theres not often a whole lot of satisfactory recourse to that outcome. You still may be able to make a lax company pay for their poor security, but you may have too kiss goodbye a fantastic amount of personal digitized content you have no way of getting back.

        And when it comes to complete cloud computing solutions it dosnt just end there. Its paying monthly fees for all your big time apps perhaps. Any number of things people have decided to pay for just once, and now they own it and have it, cloud computing could demand a rental fee for all kinds of things, and while that may include the costs of free updating to the latest and greatest versions of the cloud based software, you may get stuck paying that monthly rental fee for an updated service or application for which you like the older version better and normally wouldn't upgrade.

        There's plenty to not like about cloud computing.

        The bottom line is that the big fellas in IT want it. They want it because it will provide more control by them, a more reliable and profitable income stream for them and if it is all properly implemented, where everyone is using devices that can only get data from online, no USB, no DVD drive, and installations only from a walled garden ecosystem, with tiny onboard hard drives, then it secures them against piracy.

        That's all good for them and not a significant lot good for the average person who now can get powerful, reliable hardware very cheap, and a public that knows that software dosnt wear out.

        SO all this silliness about having an online presence already is nothing like being the issue at hand.
        • Nice Book

          It's three times longer than the article. Next time, just post a link to your blog. Geesh.
        • What the hell was that...

          Here's a thought, Cayble: Try and hit the points you want to make and then move on already.
    • Ditto Splork.

      Durable licenses for me, too. Glad I didn't fall for the Creative Cloud sales pitch.
    • We are all on the cloud

      I try my best to not store credit cards on merchant sites but many require a active card. Its almost impossible to stay under the radar online unless you do nothing but use a browser on a public PC. But you point is right, being in the cloud risks compromise and the more places your on it the higher the risks. I have no use for the cloud and any company who tries to tell me its safe.
      • Credit cards vulnerability can be minimized, if the banks wanted

        Years ago, American Express had a GREAT program called "Secure Credit" (or something like that). Basically, whenever you wanted to make an online purchase, you signed into AMEX and they gave you a virtual credit card number that would work only once. You used the virtual card to complete your purchase and the vendor you purchased from never got your real CC info.

        If hackers breeched the vendor's system and stole information, the stolen CC#'s would be worthless because AMEX would not authorize additional purchases.

        While this wouldn't totally solve the cloud risk issue, it sure as heck would have helped to minimize it. Guess what? AMEX dropped the program. It was cheaper for them to let you and I deal with these hassles than to spend a few $ to help protect us.

        All banks can do this. All are choosing not to.
    • Unless

      Unless you bought the hard licensed copy of their software online in which case they had an account for you anyway. And even if you bought the license elsewhere, did you pay cash? If not your credit card info could still be compromised by an equally careless vendor or processor.
      This isn't a cloud vs. not cloud issue - if you do any online transactions you're info is at the mercy of the weakest link in the chain

      This only gets better when companies are held liable for losses due to info stolen due to their carelessness - securing this kind of stuff isn't an unfathomable science - but you can't expect some Java code monkeys cobbling together the website to understand how to do it correctly
      • Governments should stop merchants from storing sensitive customer info

        There is no reason why an online store should keep your details. For Apple, you have to give your details before you can even enter the store, even if you are not going to buy an app. That is ridiculous - what if the High Street stores did that? Sorry Sir, you can't come into the store unless you give us your credit card info, home address, favourite colour and the name of your dog's great grandfather. Just how popular would Starbucks and co be with that policy in place? So you have to ask why is it that merchants want to store your info, even if you are not going to purchase anything - when things go wrong, as they always will, nobody wins. Adobe are going to tighten their security, now the horse has bolted. If they didn't hold the info in the first place.........
        • Subscription service

          Adobe offers software subscriptions. Of course they need to keep credit card information on file for at least some customers. Apple's situation is stupid, but it was to reduce complexity making purchases from a mobile device - it at least half makes sense to store credit card details and not have to type them on a tiny screen. But not letting you browse the store is insane.
          • you don't need to store CC info

            Even 20 years ago, you didn't have to store CC info for subscrptions. The intervals are setup with the first charge. The next payments are made without transmitting the full CC/CCV and other info. You used reference data to the initial transaction along with the interval info. We had a dial-up modem to back then. But...that required that you stayed with the same auth vendor, and didn't shop around.

            You can avoid handing over CC info to Adobe by buying 1-month, 3-month, etc cards from Amazon or CDW. If you already have a trust relationship with them, it might be worth the peace-of-mind to _not_ hand over more CC info to Adobe.

            Adobe knows that 1 year free credit monitoring is bogus. People won't use it. And the info skimmed from their databases will be used 1 year + 1 day from now anyway.