Educause Security Discussion mailing list archives
Re: FYI - Adobe account compromise
From: Gary Warner <gar () CIS UAB EDU>
Date: Tue, 12 Nov 2013 06:54:09 -0600
Brian, True point! I haven't spent money at Adobe, so wasn't thinking about the fact that many of those accounts *WERE* "payment information" accounts. I honestly hadn't realized that the CREDIT CARD INFORMATION had been leaked. I obviously HAVE the file of the password cryptotext and hints. I now see at the bottom of the referenced sophos blog post: +++++++++ "There's more to concern youself with. Adobe also decribed the customer credit card data and other PII (Personally Identifiable Information) that was stolen in the same attack as "encrypted."" +++++++++ So, looking back to Adobe's announcement: blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html (begin quote from same) Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident. We’re taking the following steps: As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. We also recommend that you change your passwords on any website where you may have used the same user ID and password. We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available. We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts. We have contacted federal law enforcement and are assisting in their investigation. (End Quote) ++++++++++++++++++++++++ Curiously, as you pointed out, the current version of the FAQ still refers to only the 2.9 million customers, despite the clear fact that there are tens of millions listed in the data dump we've all seen. Is it possible that there were 2.9 million who had shared credit cards and the other "active accounts" were non-Credit Card people? helpx.adobe.com/x-productkb/policy-pricing/customer-alert.html (Quoting from same) What information exactly did the attacker gain access to? Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We are also investigating the illegal access to source code of numerous Adobe products. Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident. (End quote) ++++++++++++++++ Brian Krebs has Adobe confirmation that 38 million "active user accounts" were among that dump. Adobe's CSO acknowledged the source code leak of Cold Fusion and Acrobat code, and thanked Krebs and Holden for their data in this post: blogs.adobe.com/asset/2013/10/illegal-access-to-adobe-source-code.html ++++++++++++++++ Interestingly, in the Adobe forums, people who used a "unique email" to register their Adobe products have shared that those accounts began receiving spam after the breach (including spam containing malware links). See for example: forums.adobe.com/message/5813930 It may be interesting for those of us with access to University spam to compare "addresses on the Adobe breach list" to those NOT on the list and see if there are any unique campaigns being targeted to the Adobe group... ---------------------------------------------------------- Gary Warner Director of Research in Computer Forensics The University of Alabama at Birmingham Center for Information Assurance and Joint Forensics Research 205.422.2113 gar () cis uab edu -----------------------------------------------------------
Current thread:
- FYI - Adobe account compromise Andrew Daviel (Nov 06)
- Re: FYI - Adobe account compromise Brian Helman (Nov 07)
- Re: FYI - Adobe account compromise Keller, Alex (Nov 07)
- Re: FYI - Adobe account compromise Louis Aponte (Nov 07)
- Re: FYI - Adobe account compromise Brian Helman (Nov 10)
- Re: FYI - Adobe account compromise Gary Warner (Nov 11)
- Re: FYI - Adobe account compromise Brian Helman (Nov 11)
- Re: FYI - Adobe account compromise Gary Warner (Nov 12)
- Re: FYI - Adobe account compromise Keller, Alex (Nov 07)
- Re: FYI - Adobe account compromise Brian Helman (Nov 07)