Adobe has announced that attackers have stolen information on 2.9 million customers, including user names, encrypted passwords, and encrypted payment information. Adobe has sent email notifications to affected customers, alerting them to reset their Adobe ID passwords, along with an offer of one free year of credit monitoring for customers whose credit or debit card information was accessed.
In addition to customer information, the attackers also stole source code for a number of Adobe’s products. Security expert Brian Krebs discovered 40 GB of Adobe’s source code on a rogue server a week before Adobe’s announcement. Adobe believes the intrusion occurred in mid-August 2013, due to outdated installs of ColdFusion on some of its networks.
This breach shines an unflattering light on Adobe’s plans to make most of its software available only by subscription (see “Adobe Flies from Creative Suite into the Creative Cloud,” 8 May 2013), and feeds critics of the company’s Creative Cloud service (see “Creative Cloud Complaints Darken Adobe’s View of the Future,” 17 May 2013).
While Adobe sees cloud-based subscriptions as a more reliable source of revenue, the company’s increased emphasis on online accounts also made Adobe even more attractive to cyber criminals. Now Adobe has the unenviable task of further hardening online systems, winning back customer trust, and averting new security vulnerabilities that could be opened by the source code leak.
As for what you, the user, can do in this particular situation, there isn’t much other than changing your Adobe ID password. More generally, the single best thing you can do to protect yourself is to limit the potential damage by using a different secure password for every online service, as recommended in Joe Kissell’s best-selling “Take Control of Your Passwords.” Password managers like 1Password are essential for this task (see “1Password 4 for Mac Better Than Ever,” 3 October 2013), and fortunately, Joe has a book for that as well, the just-released “Take Control of 1Password.”