The recent data breach at Adobe that exposed user account information and prompted a flurry of password reset emails impacted at least 38 million users, the company now says.
It also appears the already massive source code heist included the company's Photoshop family of graphical design software in addition to Reader and Acrobat.
In a breach first revealed on October 3, Adobe said hackers had stolen nearly 3 million encrypted customer credit card records, as well as login data for an undetermined number of user accounts.
At the time, a massive trove of stolen Adobe account data viewed by KrebsOnSecurity indicated that – in addition to the credit card records – tens of millions of user accounts across various Adobe online properties may have been compromised in the break-in. It was difficult to fully examine many of the files on the hackers' server housing the stolen source because many of the directories were password protected, and Adobe was reluctant to speculate on the total number of users potentially impacted.
But just this past weekend, hacker forum AnonNews.org posted a huge file called "users.tar.gz" that appears to include more than 150 million username and hashed password pairs taken from Adobe.
The 3.8 gigabyte file looks to be the same one Hold Security chief information security officer Alex Holden and I found on the server with the other data stolen from Adobe.
Adobe spokesperson Heather Edell said the company has just completed a campaign to contact all existing users whose login and encrypted password were stolen, urging those users to reset them. She said Adobe has no indication that there has been any unauthorised activity on any Adobe ID involved in the incident.
"So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and encrypted passwords for approximately 38 million active users," Edell said. "We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident - regardless of whether those users are active or not."
Edell said the company believes the attackers also obtained access to many invalid IDs, inactive IDs, IDs with invalid encrypted passwords, and test account data. "We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident," she wrote in an email. "Our notification to inactive users is ongoing."
Part of the Adobe breach involved the theft of source code for Adobe Acrobat and Reader, as well as its ColdFusion web application platform. Among the cache was a 2.56 GB-sized file called "ph1.tar.gz", but KrebsOnSecurity and Hold Security were unable to crack the password on the archive. Over this past weekend, AnonNews.org posted a file by the same name and size that was not password protected, and appeared to be source code for Adobe Photoshop.
Asked about the AnonNews posting's similarities to the leaked source code troves discovered by KrebsOnSecurity in late September, Adobe's Edell said indeed it appears the intruders got at least some of the Photoshop source code. In both cases, Adobe said it contacted the sites hosting the data linked to from the AnonNews postings and had the information taken down.
"Our investigation to date indicates that a portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on October 3," Edell wrote.
Free credit monitoring
Adobe has offered a year's worth of credit monitoring to customers whose encrypted credit card data was stolen in the breach. As it happens, Adobe's offering comes through Experian, one of the three major credit bureaus and a company that is still reeling from a security breach in which it was tricked into selling consumer records directly to an online identity theft service.
One of the most frequently asked questions I receive involves whether readers should take advantage of credit monitoring services, particularly those offered for free by the major credit bureaus in response to some breach. My response is usually that free credit monitoring generally can't hurt, as long as you're not automatically signed up for a paid monitoring service after the free period expires. Monitoring especially makes sense if you've been the victim of ID theft before.
But bear in mind that having your credit card information stolen is not the same thing as identity theft which generally involves the fraudulent opening of new accounts in your name. Some types of ID theft involve the creation of synthetic identities using parts of your personal information combined with some aspects that are not yours. Credit monitoring services may have a hard time detecting these types of accounts.
In the US, a big part of monitoring your credit involves checking your credit file for oddities and errors. US consumers are entitled to a free credit report from each of the three major bureaus once per year, via annualcreditreport.com. That means that roughly every four months, Americans should be able to get an updated copy of their credit report from one of the three bureaus (calendar reminders come in handy here).
theage.com.au 30 Oct 2013
Some comments posted on the news site:
Well a lot of people saw this coming. Hackers were always going to go after the latest Adobe software to pirate it, and Adobe gave them the extra cherry on top with a nicely wrapped collection of credit card information. Well done.
- Commenter Alex Location Melbourne Date and time October 30, 2013, 11:03AM
If Adobe had ANY competition in the marketplace, they'd have gone broke a long, long time ago.
- Commenter Simon Location Brisbane Date and time October 30, 2013, 3:37PM