Adobe Hacked: Almost 3 Million Accounts Compromised

← Back to Stories (view on slashdot.org)

Adobe Hacked: Almost 3 Million Accounts Compromised

Posted by samzenpus on Thursday October 3, 2013 @10:28AM from the breaking-in dept.

sl4shd0rk writes "Adobe Systems Inc. is expected to announce today that hackers broke into its network and stole source code for an as-yet undetermined number of software titles, including its ColdFusion Web application platform, and possibly its Acrobat family of products. The company said hackers also accessed nearly three million customer credit card records, and stole login data for an undetermined number of Adobe user accounts."

52 of 256 comments (clear)

Min score:

Reason:

Sort:

See... this is why I torrent cracked versions. by hawks5999 · 2013-10-03 10:30 · Score: 5, Funny

It's too risky to give your credit card number to a company like Adobe.
1. Re:See... this is why I torrent cracked versions. by amicusNYCL · 2013-10-03 10:55 · Score: 4, Insightful
  
  You choose to not pay for the software that you prefer to use because you don't want to give your credit card number to Adobe? After which episode that Adobe had credit card records stolen from it did you make that decision? How long ago was that? How many times has Adobe been attacked and had customer credit card information stolen? You're sure that's not just a lame justification for not wanting to pay for the software that you prefer to use?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
2. Re:See... this is why I torrent cracked versions. by amicusNYCL · 2013-10-03 11:28 · Score: 2, Funny
  
  I'm a programmer, not a cunning linguist. Taking things at face value is my specialty.
  And I don't have to "climb up" on some high horse, you clod, I'm here all the time.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
3. Re:See... this is why I torrent cracked versions. by Em+Adespoton · 2013-10-03 11:30 · Score: 5, Informative
  
  In related news, it turns out Adobe will give you some sort of software if you give them a credit card number. What a crazy business model!
  Not for long... their new business model is that they will let you have access to their cloud if you give them a credit card number, and keep paying them regularly.
4. Re:See... this is why I torrent cracked versions. by amicusNYCL · 2013-10-03 11:58 · Score: 3, Funny
  
  I have a fantastic sense of humor. Which is not mutually-exclusive with being socially retarded.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
5. Re:See... this is why I torrent cracked versions. by ColdWetDog · 2013-10-03 12:52 · Score: 2
  
  Are you thinking of this well known picture?
  
  --
  Faster! Faster! Faster would be better!
6. Re:See... this is why I torrent cracked versions. by rtb61 · 2013-10-03 13:47 · Score: 5, Interesting
  
  Especially when the break in was prior to the 17th of September and they didn't notify customer until another customer noticed Adobe source code floating around the internet October the 13th. It would seem if an outside company had not discovered the evidence of the breach Adobes customers would never have been warned that their log in details and credit card details had been stolen. Oh but the credit card details still maybe might secure because they were encrypted and those that could hack the system (likely ex-insiders and outsourcers) maybe might not have passwords for the encryption even though they had passwords for everything else.
  It seems like Adobe needs to be answering some very serious question in a court of law as to why that information was withheld from customers for so long.
  
  --
  Chaos - everything, everywhere, everywhen
7. Re:See... this is why I torrent cracked versions. by Anonymous Coward · 2013-10-03 15:06 · Score: 5, Funny
  
  As the article says. They'll also give your credit card to anyone else who asks their computer nicely for it too...
8. Re:See... this is why I torrent cracked versions. by daveime · 2013-10-03 17:56 · Score: 4, Funny
  
  > source code floating around the internet October the 13th
  
  Adobe have source code for a Time Machine ?
Couldn't have happened... by jwsarvey · 2013-10-03 10:31 · Score: 4, Insightful

...to a nicer company. I feel bad for their customers, but I'm hoping this kind of breach pushes people to insist that their sensitive data isn't stored when it isn't absolutely necessary.
1. Re:Couldn't have happened... by ralphaostrander · 2013-10-03 10:39 · Score: 3, Interesting
  
  Why do they need to store it use it lose it credit card companies need to insist as it is them who foot the bill when it is used. I will not lose the number it is on my card you have no need to store it. Storing it should be conspiracy to steal it and use it.
2. Re:Couldn't have happened... by Anonymous Coward · 2013-10-03 10:51 · Score: 4, Informative
  
  Adobe have been pushing software rental for the last couple of years. This involves recurrent payments. Recurrent payments require the vendor to store credit card details, or outsource the payment processing to a third party who stores the details.
  Either way, if you're renting software your credit card details are being stored.
3. Re:Couldn't have happened... by 0123456 · 2013-10-03 11:32 · Score: 3, Funny
  
  But we are talking about the people who wrote Flash...
good thing by Anonymous Coward · 2013-10-03 10:33 · Score: 4, Insightful

you can still buy offline standalone applications from adobe.... oh, wait.
Interesting Quote by BenSchuarmer · 2013-10-03 10:33 · Score: 4, Insightful

However, as far as the source code is concerned, Adobe assured that there is no "increased risk to customers as a result of this incident."
In other words, the risk is as bad as ever.
1. Re:Interesting Quote by fuzzyfuzzyfungus · 2013-10-03 11:08 · Score: 4, Funny
  
  However, as far as the source code is concerned, Adobe assured that there is no "increased risk to customers as a result of this incident."
  In other words, the risk is as bad as ever.
  I'm not sure why Adobe is being so pessimistic. This might be the first time in years that anybody who could find their own ass with both hands and a map, much less do code security, has examined the source code involved...
2. Re:Interesting Quote by causality · 2013-10-03 12:33 · Score: 4, Interesting
  
  Worse. The source code included the required NSA backdoor. Now requiring to insert backdoors to manufacturers will lead to the logical consequence
  We live in a society that, as Bill Hicks noted, is at about an eighth-grade emotional level collectively (he was being generous). Few people acknowledge the logical consequence, and seem to believe it magically goes away if they really, badly, truly wish hard enough or get upset enough.
  
  I suspect the government understands the situation, however. Malicious attackers and other criminals exploiting mandatory backdoors only provides an excuse for more laws regulating the Internet and expanding executive powers. To protect you from those evil hackers, of course. If nothing else, the NSA gets their little back-door so they can more easily betray their own countrymen in the name of safety; if that goes wrong in the worst possible way, then: bonus! For the evil men who love power and know no loyalty, it's a win-win. Sadly.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
3. Re:Interesting Quote by AHuxley · 2013-10-03 15:43 · Score: 2
  
  Yes, recall the printing efforts:
  Secret Code in Color Printers Lets Government Track You
  https://www.eff.org/press/archives/2005/10/16
  Makes you wonder what a digital file could hold or have blurring reversible :)
  
  --
  Domestic spying is now "Benign Information Gathering"
PDF Exploit? by Statecraftsman · 2013-10-03 10:38 · Score: 5, Funny

What are the odds this attack didn't involve a pdf exploit?
1. Re:PDF Exploit? by fuzzyfuzzyfungus · 2013-10-03 11:09 · Score: 5, Funny
  
  If you upgrade to a suitably new version of Acrobat, you can put your flash exploits inside your exploit PDF. Totally worth the license fee.
I, for one... by msauve · 2013-10-03 10:48 · Score: 4, Interesting

...can't wait until the hackers fork their code, and create something stable and less buggy from it. It will obviously take lots of work, but if they have the skills to hack in, they're up to the challenge.

--
"National Security is the chief cause of national insecurity." - Celine's First Law
1. Re:I, for one... by msauve · 2013-10-03 11:59 · Score: 2
  
  Well, they could rewrite it in Visual BASIC. It couldn't make it any worse.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
A likely attack vector by TheloniousToady · 2013-10-03 10:49 · Score: 2

I bet they used Flash to get in: since Adobe seems to be pushing Flash updates about every 10 minutes lately, it's evidently got some major security problems.
1. Re:A likely attack vector by ColdWetDog · 2013-10-03 13:06 · Score: 2
  
  Bolt on after the fact?
  Flash has had so many patches that, if it were an actual physical thing, it would be composed entirely of welds and rivets.
  
  --
  Faster! Faster! Faster would be better!
Re:3 million? by wiredlogic · 2013-10-03 10:50 · Score: 2

Doesn't say much for the security of ColdFusion. Maybe it's time for Adobe to stop eating their own dogfood.

--
I am becoming gerund, destroyer of verbs.
Source code by Dunbal · 2013-10-03 10:53 · Score: 2

According to TFA :"no "increased risk to customers as a result of this incident."
Considering that Adobe products are an endless stream of security vulnerabilities and zero days, I would say this is a fair statement. You have the same risk as you had before, when you allow their products onto your machines. As for the credit card data - shame on them. Why was that even on the same network?

--
Seven puppies were harmed during the making of this post.
Re:adobe is such bullshit by Anonymous Coward · 2013-10-03 10:54 · Score: 2, Insightful

Ok, I won't say gimp. How about Corel Draw?
No cloud for you! by onyxruby · 2013-10-03 10:54 · Score: 4, Insightful

Adobe must be the one company in the world to have a worse track record at security than Microsoft, Oracle or Mozilla. They have ignored industry best practices and been a thorn in the side of the rest of the industry for years while being oblivious to the damage their customers have suffered from their shoddy practices.
This is the same company that wants you to rely on their security as the only way to their products now that they only rent a cloud based versions of Acrobat Suite. Incidents like this are inevitable and people need to learn that their is nothing magical about the 'cloud'. Companies that have cloud dependencies for the use of their products necessarily expose all of their customers when they get cracked.
Do you trust Adobe with your security? Do you really think a company with their track record is going to get their act together?
1. Re:No cloud for you! by Voyager529 · 2013-10-03 11:17 · Score: 3, Insightful
  
  Adobe must be the one company in the world to have a worse track record at security than Microsoft, Oracle or Mozilla.
  ...Sony?
2. Re:No cloud for you! by Tom · 2013-10-03 11:21 · Score: 4, Interesting
  
  This is the same company that wants you to rely on their security as the only way to their products now that they only rent a cloud based versions of Acrobat Suite.
  This.
  I was actually on the verge of buying some of their stuff just a week ago. Decided against it when I found out they don't sell standalone versions anymore.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
Seconded by themushroom · 2013-10-03 10:55 · Score: 2, Funny

This makes me happy to have p1r4t3d versions of CS5 and CS6.
Adobe doesn't know my details and neither do the hackers, easy peasie lemon squeezie.

--
Laughter is the Spackle of the Soul.
1. Re: Seconded by snowblind · 2013-10-03 11:51 · Score: 4, Funny
  
  Yes we do Dave Watson 123 Anywhere Ln. Sunnyvale, CA 95014
  Ph# 408.123.4567
  Spouse: Miss Michigan
  Kids: Dave Jr and Susie
2. Re: Seconded by fisted · 2013-10-03 14:35 · Score: 4, Funny
  
  what, all 15?
  
  --
  CLI paste? paste.pr0.tips!
Dayamn! Thjs is big! by PerlPunk · 2013-10-03 10:58 · Score: 5, Insightful

This is big news. Expect untold exploits for the Adobe technology stack to emerge out of this. If someone or some group is determined to run Adobe into the ground, they are off to a good start.
1. Re:Dayamn! Thjs is big! by tech.kyle · 2013-10-03 11:13 · Score: 5, Insightful
  
  Expect untold exploits for the Adobe technology stack to emerge out of this.
  This. This is why people should be concerned. Open source programs have their code exposed to everyone, including those with malicious intent, and are therefor "battle hardened" for security. Closed source programs live a sheltered life and having that source suddenly available means those with malicious intent can use Adobe's relatively weak source code to develop new exploits for clients. Lots of them.
  
  Adobe is a household name that users couldn't get rid of if they wanted to. Flash, for example, is on nearly every internet-connected PC. This is a problem for everyone.
  
  --
  If we colonize Mars, it won't be the World Wide Web anymore. UWW?
2. Re:Dayamn! Thjs is big! by black3d · 2013-10-03 12:19 · Score: 2, Informative
  
  Open source programs have their code exposed to everyone, including those with malicious intent, and are therefor "battle hardened" for security.
  While this would the expected situation, the evidence demonstrates that it isn't.
  http://www.zdnet.com/six-open-source-security-myths-debunked-and-eight-real-challenges-to-consider-7000014225/
  http://www.theregister.co.uk/2004/03/05/does_open_source_software_enhance/
  etc..
  You can search this on your own. The general consensus is that the "many eyes" theory is flawed, and outside a few exceptions where a particular product has been security hardened beyond usual standards, most experts agree open source software in general tends to be no more or less secure than proprietary software. On the flip-side however, it is true that when the source code for a closed-source product does get compromised, we do generally get a new flood of exploits.
  
  --
  "The true measure of a person is how they act when they know they won't get caught." - DSRilk
Re:First post! by K.+S.+Kyosuke · 2013-10-03 11:08 · Score: 5, Funny

Your post looks photoshopped. Yep, definitely. The reflections are all wrong.

--
Ezekiel 23:20
Re:Nothing to worry about by fuzzyfuzzyfungus · 2013-10-03 11:12 · Score: 2, Insightful

3 million plaintext numbers means that Adobe's PCI team rides the short PCI bus to work...
seeing the future verses the writing on the wall by themushroom · 2013-10-03 11:13 · Score: 4, Insightful

Buying a piece of software from a vendor: Adobe doesn't have your details.
Paying on a monthly basis to a software company: Adobe has your details.
Your point about the inability to see the future is intact. However, it doesn't discount being able to predict the potential future based on math and science.

--
Laughter is the Spackle of the Soul.
Re:3 million? by the+eric+conspiracy · 2013-10-03 11:15 · Score: 5, Interesting

ColdFusion is built on JRun which is the most miserable POS Java servlet container conceived by the mind of man.
Since the source code is out maybe it will get some bug fixes.
Re:First post! by Anonymous Coward · 2013-10-03 11:31 · Score: 2, Funny

photoshopped reflections expert here, can confirm
Code analysis by kav2k · 2013-10-03 11:50 · Score: 5, Funny

So, let me recap.
Adobe just lost the source code to one of the most exposed attack surfaces known for vulnerabilities?
That'll be one hell of a peer review.
1. Re:Code analysis by mengel · 2013-10-03 16:23 · Score: 2
  
  Yes, I mean they stole the source code to Cold Fusion?!? That's kind of like breaking into Ford automotive and stealing the blueprints for the Pinto...
  
  --
  - "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
Re:Nothing to worry about by John3 · 2013-10-03 12:04 · Score: 4, Informative

The articles so far seem to indicate the card numbers were encrypted.

--
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
Safe? by h8sg8s · 2013-10-03 12:06 · Score: 2

Thank God I've never actually purchased any Adobe products. Phew, that was a close one.

--
Organization? You must be joking..
Metachoice by SuperKendall · 2013-10-03 12:15 · Score: 2

After which episode that Adobe had credit card records stolen from it did you make that decision?
Adobe may or may have had one before.
But there are enough other companies that have, that it's easy to make a rational choice based on the probability that it will happen to a company like Adobe, based on what has happened to companies at large that attract large bases of credit card numbers - especially as Adobe has recently moving to a subscription based service where they have presumably got a lot more credit card numbers stored than they used to before.
That was a factor in why I decided that I would not subscribe to the Photoshop subscription, even though the more recent photographically oriented pricing for just a few products was more appealing.
I'm all for paying for products myself, I do so whenever possible. But what I am not for is needless exposure of my financial data just because a company would prefer recurring revenue.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Adobe != security by oneiros27 · 2013-10-03 12:52 · Score: 5, Interesting

Adobe must be the one company in the world to have a worse track record at security than Microsoft, Oracle or Mozilla.
At my work, they require us to take annual security training ... and this year, I flat out refused to take it from any of my systems ... because I had to install flash & turn on java in my web browser. I had to go to the 'training center' to take it from one of the machines there.
... not a week later, the first of the 2013 Flash vulnerabilities was announced ... then a couple of weeks later, another one ... then the Java one ...
Then I was told that I had to take the 'advanced security' training ... what was the recommendation? to turn off flash & java in your web browser.
ah, the irony.

--
Build it, and they will come^Hplain.
Virtual Credit Card Numbers by slonik · 2013-10-03 15:39 · Score: 4, Informative

Citibank offers "Virtual Credit Cards" that are generated for you on demand. Each card is valid for one merchant only (the first transaction locks the merchant), has configurable expiration date and maximum amount limit. Even if stolen such virtual cards are of little use to the bad guys.
Re:3 million? by lennier1 · 2013-10-03 17:39 · Score: 2

It's now running on a heavily customized Tomcat that's been twisted long enough until you could no longer simply update it independently.
Re:This is just adobe's way of saying... by lxs · 2013-10-03 22:08 · Score: 3, Funny

stenography efforts flagged
That's why I stick to writing longhand. Take that Adobe!
Did they get the info to spoof an update? by Growlor · 2013-10-04 01:16 · Score: 2

Forget the credit card info - the real juicy stuff for a criminal would be to get whatever is needed to trick the update feature to trust a malicious piece of code (especially if it can be automated without user interaction!)
This is the most important thing I want to hear from Adobe's response team: Did the attackers get what would be needed to do this, yes or no?
Re:seeing the future verses the writing on the wal by MachineShedFred · 2013-10-04 01:37 · Score: 4, Insightful

I'll take this one further:
Buying a piece of software from a vendor: Adobe doesn't have your details.
Paying on a monthly basis to a software company: Adobe has your details.
Software vendor not named Microsoft most responsible for exploits and attacks in the last 10 years: Adobe Systems
If they can't even keep something like Acrobat Reader secure, how the hell does anyone trust them with credit card information? The long road that has been "software activation" led us to this place.

--
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.