Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Breach Compromised Over 38 Million Users, Photoshop Source Code

Posted by Soulskill on from the downside-to-massive-reach dept.

rjmarvin writes "Adobe's investigation into the massive data breach they were hit with this past August has revealed that over 38 million active users, not to mention inactive accounts, had their user IDs and passwords pilfered by hackers. An Adobe spokesperson confirmed the number, along with the theft of Adobe Photoshop source code. The initial report earlier this month put the extent of the breach at only 3 million credit card accounts, plus stolen Adobe Acrobat, Reader and ColdFusion source code."

46 of 145 comments (clear)

  1. We can always hope by nospam007 · · Score: 5, Insightful

    The breach was made possible by a bug in Adobe Acrobat Reader I hope.
    That would be Karma.

    1. Re:We can always hope by dgatwood · · Score: 5, Insightful

      In my experience, it's a safe bet that any company that cuts as many corners as Adobe does in one area probably cuts corners in almost every other area. This leads to the obvious question of whether the crackers will find any serious security holes in Photoshop and exploit them. Given how much they seem to resist fixing even the most trivial bugs in Photoshop, I'd be willing to bet that the entire codebase is an unholy cesspool, which means it is probably rife with security holes, too.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    2. Re:We can always hope by X0563511 · · Score: 4, Insightful

      I think we can all agree that there's no need for an NSA-specific backdoor in that piece of crap...

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    3. Re:We can always hope by dhaines · · Score: 4, Insightful

      ...they seem to resist fixing even the most trivial bugs in Photoshop...

      Adobe fixes bugs! They save up all the fixes then charge for them in the next release.

    4. Re:We can always hope by tbuddy · · Score: 3, Insightful

      Now that we have no more perpetual licensing the issue of having to pay for a next release is a non-issue. They still haven't pushed out a compelling feature for my licenses to merit upgrading, however.

    5. Re:We can always hope by Press2ToContinue · · Score: 2

      have you tried Foxit? I've been using it instead of adobe for years now. Lighter, faster, more stable, less annoying.

      --
      Sent from my ENIAC
    6. Re:We can always hope by drinkypoo · · Score: 2

      Is there a version of Photoshop with both perpetual licensing and content-aware fill? I'm not throwing rocks at resynthesizer, but...

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re:We can always hope by beckett · · Score: 2

      CS6 has content aware fill.

  2. With Photoshop "open sourced" by RunFatBoy.net · · Score: 2

    I can finally write that lens flair javascript library

    -- Jim
    Weekly feedback for your website.

    1. Re:With Photoshop "open sourced" by ElectricTurtle · · Score: 2

      How many pieces?

      --
      I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
    2. Re:With Photoshop "open sourced" by Stormwatch · · Score: 4, Funny

      It's a very stylish lens.

      --
      Circumcision is child abuse.
    3. Re:With Photoshop "open sourced" by X0563511 · · Score: 4, Funny

      Is that what they implemented in the recent Star Trek movies?

      Lens Flair: Using lens flares to add flair.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    4. Re:With Photoshop "open sourced" by dgatwood · · Score: 3, Funny

      Oops. I think you just a word there.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  3. The untold story by dysmal · · Score: 5, Funny

    The untold story is that the hackers tried to give back the source code but Adobe said NO GIVE BACKS!

    1. Re:The untold story by 0x15e · · Score: 2

      Awww ... I was going to make that joke about the CF source. If only I had mod points.

    2. Re:The untold story by icebike · · Score: 5, Funny

      Given the level of bloat in Photoshop and Acrobat, I'm amazed the hackers had enough disk space and time to download it.

      --
      Sig Battery depleted. Reverting to safe mode.
    3. Re:The untold story by X0563511 · · Score: 4, Funny

      95% of the codebase is the secret bug-generator. They just made sure not to pull down that external repository.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    4. Re:The untold story by K.+S.+Kyosuke · · Score: 4, Funny

      Given the level of bloat in Photoshop and Acrobat, I'm amazed the hackers had enough disk space and time to download it.

      The source is actually only 370 KB. The rest comes from C++ template instantiation.

      --
      Ezekiel 23:20
    5. Re:The untold story by RocketRabbit · · Score: 2, Funny

      Oh come on, they probably accelerated their download with the Adobe Download Manager.

  4. No News Is Good News by Anonymous Coward · · Score: 5, Funny

    Adobe hasn't notified me of anything so my data must be safe. Right?

    Right?

    1. Re:No News Is Good News by icebike · · Score: 4, Funny

      Adobe hasn't notified me of anything so my data must be safe. Right?

      Right?

      I got dozens of different notices. They had links to places where I could change my password. Lots of different places.

      I could forward you a few if you want.

      --
      Sig Battery depleted. Reverting to safe mode.
  5. Cloudy skies by girlintraining · · Score: 4, Insightful

    So how's that new "Cloud all the apps" thing working out for you guys so far? Ah. I see you leaked pretty much your whole database of people who had signed up for it. Well then, carry on.

    In other news, I hope your new strategy crashes into the dirt so hard the only thing that'll be memorable about Adobe in 5 years will be is the case study on it in business classes around the world on how not to do it.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Cloudy skies by aiadot · · Score: 3, Insightful

      Whether the cloud strategy is working or not doesn't matter. As long as artists, web designers, graphic designers, wannabes, etc, keeping using Photoshop et al for everything they do, even when is completely unnecessary either because there are cheaper, sufficient or better alternatives depending on the job, Adobe has no need to listen to reason. They'll still be making all the money they want.

  6. Would suck to be them by jones_supa · · Score: 4, Insightful

    I know we're gonna get all the "ha ha, it's an evil megacorp anyway", but damn it must be stressful moments to some of the folks at Adobe. :/ Especially if the source code leaks turn out to be true.

    1. Re:Would suck to be them by sconeu · · Score: 3, Informative

      Allow me to introduce you to a new word... Schadenfreude.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    2. Re:Would suck to be them by InfiniteLoopCounter · · Score: 3, Interesting

      I know we're gonna get all the "ha ha, it's an evil megacorp anyway", but damn it must be stressful moments to some of the folks at Adobe. :/ Especially if the source code leaks turn out to be true.

      Leaking the source will be a big embarrassment for Adobe. I mean given the quality of the applications there will probably be lots of comments on top of functions that say:

      We have no idea what this function does. The guy who wrote it left and it is used for backwards capability. It is also tied into main areas of the program and can't be removed.

    3. Re:Would suck to be them by pwizard2 · · Score: 4, Funny

      The rest of the world can finally see how god-awful their code really is.

      --
      "It is a denial of justice not to stretch out a helping hand to the fallen; that is the common right of humanity."
  7. Is it time... by ADRA · · Score: 2

    I keep hearing about this breach and that breach, but what I'd love to see are some seriously ambitious groups of skilled security engineers standing up to help encourage good security practices that are widely recognized and standardized. The networked computing eco-system is so intertwined and desperate that how can any Jack or Jill admin be expected to have a fair set of skills in their toolbox to tackle such a hurdle? To expect any or ALL admins to have enough competence to just know the depth and complexity of a highly enabled enterprise is very unlikely.

    For a possible first step, lets consider blocking broadcasts by default. All computers fall into 255.255.255.254 and rely on tight enforcement of shared communication as a reasonable start.
    A second may be for all communications channels to be flagged with security credentials of the communications user (or machines), or anonymous for completely un'authorized' communications and rely on block by default as a sane start. Allow 'users' to reach out to unsecured locations if you like, but make sure that their connection to secured resources are a lot harder to reach (and fully audited when performed)

    Anyways, this is a huge problem which is at least in part to why this happens over and over again. I could say X, and 100 experts will give me 101 answers to why its the most stupid solution in the world, so.... enjoy!

    --
    Bye!
    1. Re:Is it time... by dnaumov · · Score: 2

      I keep hearing about this breach and that breach, but what I'd love to see are some seriously ambitious groups of skilled security engineers standing up to help encourage good security practices that are widely recognized and standardized.

      According to the people with actual decision-making power, this would be too expensive. The end.

  8. Hmm... Source Code... by wjcofkc · · Score: 2

    While I fully realize that it would be both wrong and illegal, with the Photoshop source code in the wild, is it possible some of it could added to or at least quietly re-engineered into OSS projects? Real CMYK support for Gimp would be like birthday + xmas combined times a million.

    --
    Brought to you by Carl's Junior.
    1. Re:Hmm... Source Code... by XanC · · Score: 3, Informative

      According to their FAQ:
      http://www.gimp.org/docs/userfaq.html#cmyk

      "It is clear from the product vision that GIMP eventually needs to support CMYK, but it is impossible to say when someone finds the free time and motivation to add it."

      So they're not anti-CMYK, it just hasn't been done yet.

    2. Re:Hmm... Source Code... by mark-t · · Score: 4, Interesting

      CMYK and more should be there for 2.10, once GEGL and babl are fully incorporated.

      --
      File under 'M' for 'Manic ranting'
    3. Re:Hmm... Source Code... by 0123456 · · Score: 5, Insightful

      Sounds like another open source project with inappropriate funding.

      They have much more important things to do. Like crippling the 'Save As' window so it can now only 'Save As' GIMP format, and you have to 'Export' to save a JPEG.

    4. Re:Hmm... Source Code... by fatphil · · Score: 2

      Being an amateur photographer, I wanted to design my own business cards for one of my businesses. Being exclusively linux/FOSS, I tried GIMP. On screen, I was quite proud of what I'd designed. Until I saw it on card.

      Alas, my bold ambers came out a kind of bilberry blue in the test run of the cards. It's my belief that until I've got end-to-end RAW/CMYK, all I will be able to do is tweak curves and pay for another test run (less than 5e for 36 cards, and the kinds of people I'm giving these to don't care about the visuals, so it's an annoyance rather than a disaster). No idea how many iterations will be necessary.

      --
      Also FatPhil on SoylentNews, id 863
    5. Re:Hmm... Source Code... by rasmusbr · · Score: 2

      Yes, but now that the Photoshop source is leaked they could just copy-paste the CMYK code into their project and hit compile.

    6. Re:Hmm... Source Code... by tbuddy · · Score: 2

      Any decent output device will have to mean an EFI or APPE device, because pretty much everything else is balls at converting, including the bulk of rips which are old JAWS Short of it is if you don't have a $3000+ RIP upgrade you are going to get garbage if you don't normalize first.

  9. Re:Oh no! by king+neckbeard · · Score: 2

    I don't. Their source code would be better off in the hands of just about anybody else, including monkeys with typewriters.

    --
    This is my signature. There are many like it, but this one is mine.
  10. Linux port! by Arashi256 · · Score: 2

    Bring it! :D

  11. Why was the sourcecode even on the server? by Nyder · · Score: 4, Insightful

    Anyone else wondering why the sourcecode was even able to be accessed? Seems like a stupid thing to have on a web server, or able to access from a web server.

    That's like leaving a laptop sitting on a seat in car while you are out shopping/whatever.

    --
    Be seeing you...
    1. Re:Why was the sourcecode even on the server? by Anonymous Coward · · Score: 5, Funny

      You think that's bad? GIMP puts all of their source and even the bug tracker on publicly accessible web servers.

  12. Such is the beauty of the cloud to cybercrooks. by Dega704 · · Score: 2

    Even the best of security practices does little to dissuade them when all of the eggs are in one basket.

  13. Organisation-wide failure - /. hubris spot-on? by Bearhouse · · Score: 2

    I know it's popular to rubbish Adobe here, but this report, if true, would seem to justify the Adobe-hate.
    And I say this as someone who has happily used many of their products over the years, (although less so, lately).

    Yes, we all know security is hard, but if you're a leading tech company with internal safeguards so lax that one breach can leak both user IDs and source code well, frankly, you're shit.

  14. Re:Oh no! by Mordok-DestroyerOfWo · · Score: 3

    I don't. Their source code would be better off in the hands of just about anybody else, including monkeys with typewriters.

    I was under the impression that it was initially created by monkeys with typewriters.

    --
    "Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
  15. Re:Oh no! by Cryacin · · Score: 2

    including monkeys with typewriters.

    It's unfair to marginalize the support team like that. They work hard.

    --
    Science advances one funeral at a time- Max Planck
  16. Why all the hate? by intermelt · · Score: 2

    I understand this is /. but I don't understand why every "insightful" post is against Adobe. Adobe has marketed to to their users. Their market is not an opensource market. Their market is people who want something that works. Their IP is priceless and I believe their "Cloud" platform has been correctly. Up until they offered Creative Cloud I never had a licensed version of an Adobe product. I now have a licensed adobe product on my home and work computers. They are not evil by any means. My subscription can lapse and things still work. Programs are installed locally. The only connect now and then to confirm the license. I now get updates on a regular basis. Their code is considered top notch by professionals. I have rarely had an Adobe application crash on me. It just works. You can't say that about any of the competitors, open-source or not. I've tried using Gimp or Paint Shop Pro. They don't even compete with Photoshop.

    As far as we know this breach has nothing to do with the "security" or "programming ability" at Adobe. It could have easily been an insider. Or maybe just someone who knows what they are doing and has been at it for years. Any system can be easily breached internally and any system can be breached given time.

    Stop making assumptions and look at the facts. The facts about the situation are non-existent. The facts about their programming ability is public knowledge and they have proven themselves. Anyone that thinks otherwise... show me what you have done that has the capabilities of their software. You won't. Their software (Adobe Acrobat) is used everywhere. More than Flash was (Flash was Macromedia, not Adobe) If it sucked it won't be used. Don't give me any analogies about how Windows sucks and it still is used! Windows doesn't suck. Any professional Linux user will agree that it satisfies its market, which happens to be a very large market. I love Linux but all my computers have Windows. Why? because it works as it should. Oh it's not free? You get what you pay for. That goes for Adobe products too. Talk to one of their programmers. Find out what a real development environment is like. Ask them how much time is devoted to their product. Ask them how much time is devoted to testing. Ask them how much time is devoted to refactoring their code. This is not Microsoft. They can't get away with just adding on. They invent and make new. They are worth it.

    A small hiccup like this is nothing. It has happened to companies magnitudes greater and no one blinks an eye. Adobe as been completely transparent about what happened.

    They should be applauded for their efforts to inform people.

    I can't wait until slashdot is compromised. It will happen. My encrypted password will be stolen. Oh no! 100's of sites have my encrypted password. Just like they all have yours. Oh... you use a different password for every site. First.. I call BS! You don't. You want to project a fake reality. Fine. You are then just stupid. You really only need 3 - 4 different passwords.

    1. Banking/PayPal
    2. Email
    3. Other Sites
    4. Optional/ Social Sites (could fall under "other sites"

    This keeps you safe. A max of 4 passwords. If you can't figure out the logic, then just move on.

    So how does all this roll back into Adobe?
    1. If you use only 1 password you are stupid.
    2. If you use 2 - 4 passwords, you don't care.
    3. This isn't Adobe's fault, it just happens.
    4. If it bothers you then why do you have an Adobe account in the first place?
    5. We all use Adobe products and could not live without them. (btw... this is not a monopoly! think before you respond with those ideas)

    I think this is enough to get my point across.

  17. Re:Seriously. by tbuddy · · Score: 2

    High cost and stagnant development weren't enough?