Educause Security Discussion mailing list archives
Re: FYI - Adobe account compromise
From: Gary Warner <gar () CIS UAB EDU>
Date: Tue, 12 Nov 2013 06:54:09 -0600
Brian,
True point! I haven't spent money at Adobe, so wasn't thinking about the fact that many of those accounts *WERE*
"payment information" accounts. I honestly hadn't realized that the CREDIT CARD INFORMATION had been leaked. I
obviously HAVE the file of the password cryptotext and hints. I now see at the bottom of the referenced sophos blog
post:
+++++++++
"There's more to concern youself with.
Adobe also decribed the customer credit card data and other PII (Personally Identifiable Information) that was stolen
in the same attack as "encrypted.""
+++++++++
So, looking back to Adobe's announcement:
blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html
(begin quote from same)
Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our
systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe
customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information
relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card
numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as
with external partners and law enforcement, to address the incident. We’re taking the following steps:
As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID
accounts. If your user ID and password were involved, you will receive an email notification from us with information
on how to change your password. We also recommend that you change your passwords on any website where you may have used
the same user ID and password.
We are in the process of notifying customers whose credit or debit card information we believe to be involved in
the incident. If your information was involved, you will receive a notification letter from us with additional
information on steps you can take to help protect yourself against potential misuse of personal information about you.
Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a
one-year complimentary credit monitoring membership where available.
We have notified the banks processing customer payments for Adobe, so that they can work with the payment card
companies and card-issuing banks to help protect customers’ accounts.
We have contacted federal law enforcement and are assisting in their investigation.
(End Quote)
++++++++++++++++++++++++
Curiously, as you pointed out, the current version of the FAQ still refers to only the 2.9 million customers, despite
the clear fact that there are tens of millions listed in the data dump we've all seen. Is it possible that there were
2.9 million who had shared credit cards and the other "active accounts" were non-Credit Card people?
helpx.adobe.com/x-productkb/policy-pricing/customer-alert.html
(Quoting from same)
What information exactly did the attacker gain access to?
Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our
systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe
customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information
relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card
numbers from our systems.
We are also investigating the illegal access to source code of numerous Adobe products. Based on our findings to date,
we are not aware of any specific increased risk to customers as a result of this incident.
(End quote)
++++++++++++++++
Brian Krebs has Adobe confirmation that 38 million "active user accounts" were among that dump. Adobe's CSO
acknowledged the source code leak of Cold Fusion and Acrobat code, and thanked Krebs and Holden for their data in this
post:
blogs.adobe.com/asset/2013/10/illegal-access-to-adobe-source-code.html
++++++++++++++++
Interestingly, in the Adobe forums, people who used a "unique email" to register their Adobe products have shared that
those accounts began receiving spam after the breach (including spam containing malware links). See for example:
forums.adobe.com/message/5813930
It may be interesting for those of us with access to University spam to compare "addresses on the Adobe breach list" to
those NOT on the list and see if there are any unique campaigns being targeted to the Adobe group...
----------------------------------------------------------
Gary Warner
Director of Research in Computer Forensics
The University of Alabama at Birmingham
Center for Information Assurance and Joint Forensics Research
205.422.2113
gar () cis uab edu
-----------------------------------------------------------
Current thread:
- FYI - Adobe account compromise Andrew Daviel (Nov 06)
- Re: FYI - Adobe account compromise Brian Helman (Nov 07)
- Re: FYI - Adobe account compromise Keller, Alex (Nov 07)
- Re: FYI - Adobe account compromise Louis Aponte (Nov 07)
- Re: FYI - Adobe account compromise Brian Helman (Nov 10)
- Re: FYI - Adobe account compromise Gary Warner (Nov 11)
- Re: FYI - Adobe account compromise Brian Helman (Nov 11)
- Re: FYI - Adobe account compromise Gary Warner (Nov 12)
- Re: FYI - Adobe account compromise Keller, Alex (Nov 07)
- Re: FYI - Adobe account compromise Brian Helman (Nov 07)