Slashdot Mirror
Adobe Hacked: Almost 3 Million Accounts Compromised
sl4shd0rk writes "Adobe Systems Inc. is expected to announce today that hackers broke into its network and stole source code for an as-yet undetermined number of software titles, including its ColdFusion Web application platform, and possibly its Acrobat family of products. The company said hackers also accessed nearly three million customer credit card records, and stole login data for an undetermined number of Adobe user accounts."
It's too risky to give your credit card number to a company like Adobe.
...to a nicer company. I feel bad for their customers, but I'm hoping this kind of breach pushes people to insist that their sensitive data isn't stored when it isn't absolutely necessary.
you can still buy offline standalone applications from adobe.... oh, wait.
However, as far as the source code is concerned, Adobe assured that there is no "increased risk to customers as a result of this incident."
In other words, the risk is as bad as ever.
What are the odds this attack didn't involve a pdf exploit?
Because they are the number one software subscription company in the world?
Is anyone surprised that a company that is already battered by a poor security reputation would be compromised in this way?
That they are doing their own billing isn't surprising considering their size, but not a place I'd put a personal card number.
...can't wait until the hackers fork their code, and create something stable and less buggy from it. It will obviously take lots of work, but if they have the skills to hack in, they're up to the challenge.
"National Security is the chief cause of national insecurity." - Celine's First Law
I bet they used Flash to get in: since Adobe seems to be pushing Flash updates about every 10 minutes lately, it's evidently got some major security problems.
Doesn't say much for the security of ColdFusion. Maybe it's time for Adobe to stop eating their own dogfood.
I am becoming gerund, destroyer of verbs.
According to TFA :"no "increased risk to customers as a result of this incident."
Considering that Adobe products are an endless stream of security vulnerabilities and zero days, I would say this is a fair statement. You have the same risk as you had before, when you allow their products onto your machines. As for the credit card data - shame on them. Why was that even on the same network?
Seven puppies were harmed during the making of this post.
Ok, I won't say gimp. How about Corel Draw?
Adobe must be the one company in the world to have a worse track record at security than Microsoft, Oracle or Mozilla. They have ignored industry best practices and been a thorn in the side of the rest of the industry for years while being oblivious to the damage their customers have suffered from their shoddy practices.
This is the same company that wants you to rely on their security as the only way to their products now that they only rent a cloud based versions of Acrobat Suite. Incidents like this are inevitable and people need to learn that their is nothing magical about the 'cloud'. Companies that have cloud dependencies for the use of their products necessarily expose all of their customers when they get cracked.
Do you trust Adobe with your security? Do you really think a company with their track record is going to get their act together?
This makes me happy to have p1r4t3d versions of CS5 and CS6.
Adobe doesn't know my details and neither do the hackers, easy peasie lemon squeezie.
Laughter is the Spackle of the Soul.
It is not like this hasn't been reported at least weekly for years for various companies.
What the hell are major companies thinking?
This is big news. Expect untold exploits for the Adobe technology stack to emerge out of this. If someone or some group is determined to run Adobe into the ground, they are off to a good start.
Was wondering how long it would be until this choice to rent, not sell, software would bite them in their big red A.
Laughter is the Spackle of the Soul.
The code could easily be identified and the source taken down. It might make its rounds on file sharing sites, but all it'll likely be good for is compiling yourself with little to no modifications to the code or for learning from (which would be its most valuable use).
If we colonize Mars, it won't be the World Wide Web anymore. UWW?
............
CLOUUUUUUUUUD!
welp, guess it's time to get my CC changed.
If you were me, you'd be good lookin'. - six string samurai
Your post looks photoshopped. Yep, definitely. The reflections are all wrong.
Ezekiel 23:20
3 million plaintext numbers means that Adobe's PCI team rides the short PCI bus to work...
Buying a piece of software from a vendor: Adobe doesn't have your details.
Paying on a monthly basis to a software company: Adobe has your details.
Your point about the inability to see the future is intact. However, it doesn't discount being able to predict the potential future based on math and science.
Laughter is the Spackle of the Soul.
ColdFusion is built on JRun which is the most miserable POS Java servlet container conceived by the mind of man.
Since the source code is out maybe it will get some bug fixes.
Adobe appear to be so focused on pushing their "money making" business model (the no-one wants) they forget to secure their backend systems. I wonder what incentives the NSA give them to pipe the users details into PRISM?
Where did companies like Apple and Microsoft come from then?
Take this sig and smoke it.
photoshopped reflections expert here, can confirm
Where did companies like Apple and Microsoft come from then?
Microsoft began with MS Basic, which, if I remember correctly, was about 8k of assembler.
Even 'Hello World' compiles to more than 8k on most modern operating systems.
The code could easily be identified and the source taken down. It might make its rounds on file sharing sites, but all it'll likely be good for is compiling yourself with little to no modifications to the code or for learning from (which would be its most valuable use).
No, I think we'll find its most valuable use will be in finding exploits and selling them on the black market. Not valuable to most people, but definitely to those who stole the data.
3 million plaintext numbers means that Adobe's PCI team rides the short PCI bus to work...
...or it means that the attackers did a memory dump, and that many numbers were in memory at that time. Unlikely, but possible. More likely that Adobe gets their PCI status revoked. Except that in this case, the data was encrypted. The attackers just hit a lot of systems and grabbed a lot of data. Sorting it out to make anything useful out of some of the DBs may be quite a bit of work.
However, they've got email addresses and source code. So they can forge emails from Adobe to their customers with links to trojanized "updates" without much difficulty.
So, let me recap.
Adobe just lost the source code to one of the most exposed attack surfaces known for vulnerabilities?
That'll be one hell of a peer review.
That's fucking epic. How will Adobe continue to develop any of those applications without it?
They'll just have to start again. There will be a lot of Adobe developers putting in a lot of time to rewrite all that code.
One 4KB Demo maybe then : Chaos Theory 4k (KK remix).
The containment and clean up of this will cost Adobe a lot of money sure but, people are going to continue to use their software and Adobe will continue to operate as normal. The regular every day user won't care and the company will continue to make awesome profits.
Not yet clear what system was breached and what platform it was running. Do you have a link to details of the attack vector? I haven't run Cold Fusion in years, once Adobe purchased it and moved it to JRun I migrated my code off Cold Fusion.
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
The articles so far seem to indicate the card numbers were encrypted.
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
From TFA: "nearly three million customer credit card records"
Thank God I've never actually purchased any Adobe products. Phew, that was a close one.
Organization? You must be joking..
Crackers, not hackers.
After which episode that Adobe had credit card records stolen from it did you make that decision?
Adobe may or may have had one before.
But there are enough other companies that have, that it's easy to make a rational choice based on the probability that it will happen to a company like Adobe, based on what has happened to companies at large that attract large bases of credit card numbers - especially as Adobe has recently moving to a subscription based service where they have presumably got a lot more credit card numbers stored than they used to before.
That was a factor in why I decided that I would not subscribe to the Photoshop subscription, even though the more recent photographically oriented pricing for just a few products was more appealing.
I'm all for paying for products myself, I do so whenever possible. But what I am not for is needless exposure of my financial data just because a company would prefer recurring revenue.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The first two versions they made were named after the size of the code.
4k and 8k BASIC. As a kid in the early 80s, I used a lot of 4k and 8k BASIC listings and "ported" programs over to Apple, TRS-80, and TI BASIC.
Because everybody had different syntax for BASIC.
And they were named Micro-Soft at the time.
/old
//slashies on slashdot? [palin] you betcha [/palin]
///and peek and poke were the gateway drug to assembler.
--
BMO
ColdFusion is built on JRun...
Hey, the 90's are calling, they want your comment back.
ColdFusion runs on Tomcat now.
Adobe Hacked: Almost 3 Million Accounts Compromised
Were 3 millions accounts were "almost" compromised or does the poster mean "close to" 3 million accounts compromised.
Either way, thanks alot asshats.
The mind conceives, the body achieves, the spirit manifests.
A responsible company that size should be releasing several thousand fake corporate client lists per day. If every company did its civil duty and released thousands of fake client lists, the identity thieves would never be able to find a needle in a haystack. Nature adapts camouflage, not invisibility.
Gently reply
At my work, they require us to take annual security training ... and this year, I flat out refused to take it from any of my systems ... because I had to install flash & turn on java in my web browser. I had to go to the 'training center' to take it from one of the machines there.
... not a week later, the first of the 2013 Flash vulnerabilities was announced ... then a couple of weeks later, another one ... then the Java one ...
Then I was told that I had to take the 'advanced security' training ... what was the recommendation? to turn off flash & java in your web browser.
ah, the irony.
Build it, and they will come^Hplain.
Really, given the complete failure to secure well... any of their desktop software, is there any surprise?
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Try going to work at a large company.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Obviously, then, 640kb is way overkill.
now we need to go OSS in diesel cars
They discovered they were hacked on thursday. Any idea when the breach occurred?
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I am so pissed off about Adobe's business model that I may never buy an Adobe product ever again.
That company can go to hell.
More likely the hacker took over someone's desktop machine that was running exploitable software, and was inside the network. Now they can get to file servers, source repository, etc., as soon as the person who had that desktop signs in to those servers. They probably also took over some other desktops used by people without that access. But they just keep trying and eventually get lucky. I'm sure a lot of people there were using exploitable software.
now we need to go OSS in diesel cars
http://www.pixelmator.com/ An amazing piece of software, and only $15! Seriously, if you have a Mac and you don't get this you are doing yourself a disservice.
- Vincit qui patitur.
No we don't. That was Macromedia. Sorry for my lack of humour.
Adobe is so big that I doubt anything happens to their PCI status. Except a higher discount rate in the future from their current processor(s). In aggregate, the cost of which is slightly less than the calculated cost of Adobe switching processors.
Even with Creative Cloud, you can store your files locally, then stop paying. Knock it off with the FUD already.
(name withheld by request)
When you stop paying, the software stops working and you can't access open your files anymore. cloud storage or no cloud storage.
kind of like a ransom.
Every altered pic gets a unique, owner/camera/gps/ serial number string coded in, popular 'face blurring" methods are reversible and stenography efforts flagged in the saved files for easy detection at the network level?
Domestic spying is now "Benign Information Gathering"
Learn by racing your new mulit threading, better RAM use, 64 bit optimized efforts vs the code? :)
Chart how much faster or slower
Domestic spying is now "Benign Information Gathering"
Citibank offers "Virtual Credit Cards" that are generated for you on demand. Each card is valid for one merchant only (the first transaction locks the merchant), has configurable expiration date and maximum amount limit. Even if stolen such virtual cards are of little use to the bad guys.
Ah... so the Cold Fusion source code was stored on a box running Cold Fusion?
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
So a compromised network allowed more than one business unit to be hijacked. Horrible. Some admins are in deep trouble.
It's now running on a heavily customized Tomcat that's been twisted long enough until you could no longer simply update it independently.
Still not seeing the part where software piracy is justified.
Still not seeing the part where it needs to be.
Adobe: You'll shit a brick!
They have 3 million customers?!?!?
Shocking, truly shocking.
Oh, and yeah, the hack raised an eyebrow.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
Even with Creative Cloud, you can store your files locally, then stop paying. Knock it off with the FUD already.
Maybe if you save it as a .jpg or .png or whatever your format of choice is. A locally stored .psd is useless without photoshop.
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
stenography efforts flagged
That's why I stick to writing longhand. Take that Adobe!
How does Krita fair?
Change is certain; progress is not obligatory.
Not an Adobe client. Not having to worry about such break-ins, another advantage of using FOSS.
Views expressed do not necessarily reflect those of the author.
Well, hashing the numbers would be useless because then they couldn't retrieve the numbers to charge against. If they have encryption on the partition on the system where the numbers are stored, I don't understand how that would have helped the situation anymore in this circumstance since usermode applications would access it the same way as unencrypted.
What do you propose they should have done?
Change is certain; progress is not obligatory.
That reminded me to go have a look at Foxit, which is a great little PDF reader and more for Windows. They used to have a version for Linux (unless I'm remembering wrong?) but just went to their website and saw no trace of it.
Did they give up trying to sell to us freetards that don't want to pay for software? If so, too bad, it's a pretty good little PDF renderer. I'm using Okular, and like it too. Evince I'm not a big fan of.
If this were Usenet, I'd killfile the lot of you.
Kindly bring Adobe to its knees and liberate us serfs. With love and hope,
"SO we bide our time, waiting for a purer kick to bloom and the future is still bleak, uncertain and beautiful" -GSYBE
Forget the credit card info - the real juicy stuff for a criminal would be to get whatever is needed to trick the update feature to trust a malicious piece of code (especially if it can be automated without user interaction!)
This is the most important thing I want to hear from Adobe's response team: Did the attackers get what would be needed to do this, yes or no?
I'll take this one further:
Buying a piece of software from a vendor: Adobe doesn't have your details.
Paying on a monthly basis to a software company: Adobe has your details.
Software vendor not named Microsoft most responsible for exploits and attacks in the last 10 years: Adobe Systems
If they can't even keep something like Acrobat Reader secure, how the hell does anyone trust them with credit card information? The long road that has been "software activation" led us to this place.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Undoing mod. Meant for Funny, got Overrated instead. "Missed it by that much."
Ty ixs :) *steganography
Domestic spying is now "Benign Information Gathering"
Glad I stopped with CS6 Production Suite....I refused to rent software and did not go with Creative Cloud, where you do have to give a CC number.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
I can't see the future but I have a prepaid credit card that I use for Internet transactions just in case...
encrypted or not, with the access the bad-guys had, would it not be likely that the encryption keys would be the first things they would have harvested? A lock box is not good when the keys are stole with it.
At the beginning of August I purchased the latest version of Adobe Premier using a Credit card as this is the ONLY way you can do this - monthly payments require a credit card. Since this is a company purchase I used the company card, this card had never been used before for Internet transactions. I have a special card for this but because this is a monthly purchase I did not want to transfer money every month into the "special" credit card.
On the 20.08.2013 the credit card was debited by a person called "NOVAPOKEREW" through a PAYPAL account. I rang paypal and after a lengthy conversation (on and off for 3 hours) and being handed from person to person they acknowledged this was fraudulent and have no problem giving the money back to me (thank you PAYPAL).
What gives me the shits is that Adobe is lying because I have seen many people saying their credit card has been debited somewhere at the end of August - Adobe you are lying!!!!
To add insult to injury when you try to reset your password you end up in an endless loop of resetting your password again and again - this too has been the experience of MANY other people (just search for Adobe Hacked and start reading).
While I like your products ADOBE, you suck at security and customer service as well giving the incorrect information about an event.
This is not about being hacked, it can happen to anyone - but leaving your customers in the dark - well if there would be another product like Indesign ot Premier - I would NOT be using Adobe anymore, that's for sure
to code or not to code, that is the question.