Adobe data breach affects 2.9 million customers

Posted by on Oct 8, 2013


Image from www.adobe.com

Adobe Systems has become the recent victim of a massive data breach. The data breach exposed the personal information of millions of customers and the source code of famous Adobe products like Adobe Acrobat, Cold Fusion and others. Last Thursday, Adobe confirmed that the attackers accessed about 2.9 million user data. The customer information that was accessed included names, encrypted credit card and debit card numbers, expiration dates, and other information related to customer orders. However, the decrypted debit card and credit card numbers were not removed from the system.

Adobe has been attracting the attention of a lot of cyber criminals lately because of the widespread use of many of its products. The firm confirmed that they have been receiving “sophisticated attacks” on their network, involving illegal access to customer data and the source code of numerous Adobe products. Journalist Brian Krebs and Alex Holden of Hold security discovered the data leak about a week ago. As per Krebs, “they became aware of the data leak when they discovered a 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll.” The server of the hacking team contained huge repositories of compiled and uncompiled source code of ColdFusion and Adobe Acrobat.

A screen shot of purloined source code stolen from Adobe, shared with the company by KrebsOnSec

A screen shot of purloined source code stolen from Adobe, shared with the company by KrebsOnSec

After that discovery, KrebsOnSecurity informed Adobe about the attack with several screenshots showing Adobe source code on hacker’s server. Adobe confirmed that it is aware of the attack and has been working on an investigation of a broad ranging breach on its network since Sept 17th 2013. The Chief Security Officer of Adobe Brad Arkin said that the information shared by KrebsOnSecurity “helped steer their investigation in a new direction.”

ColdFusion source code repository found on hacker’s server.


In this case, the risk of identity theft or fraud seems to be low because the compromised personal data was encrypted. However it is still not clear what kind of encryption or security was used by Adobe on the stolen data. The biggest threat in this breach is the leak of source code of Adobe products. This information could lead to spear phishing attacks. The attacker can use this information to fool users by recommending them to download a software update with an email, which my look real because of the accurate information contained in it.

In response to the breach, Adobe has taken certain steps to maintain the security of customer data:

  • Adobe is resetting customer passwords to prevent unauthorized access to Adobe IDs. They are sending email notifications to the affected users-which include many Revel and Creative Cloud account holders- to change their passwords. The users are recommended to change the passwords of the websites where they have used the same user name and password.
  • The customers whose credit and debit card information were accessed will receive an email notification on how to protect yourself against potential misuse of your personal information. “Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available”.
  • Adobe has also notified banks processing customer payments for them, so that they can work with work with payment card companies and card issuing banks to help protect user data.
  • They have also contacted federal law enforcement and are assisting in their investigation.

So, as an Adobe customer, if you think your data is compromised or if you have received any notification from Adobe regarding that, make sure you follow the instructions given by Adobe in the notification email.Also be very careful in downloading any software updates from Adobe, as there might be a potential risk of phishing attack due to compromised source code.  Ensure that the update is from a legit site by checking if it is supported by SSL protocol, has any security symbol or HTTPS:// protocol.

Protect your personal data with SpiderOak

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

Interested in SpiderOak Products?

SpiderOak carved its niche as the top choice for those most concerned with privacy.

The engineering goal was simple – devise a plan where users’ files, filenames, file types, folders, and/or any other personal information are never exposed to anyone for any reason (even under government subpoena). This describes SpiderOak’s ‘zero-knowledge’ privacy environment. 
SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can sign-up for this product at SpiderOak Blue and see it work seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.

One Response to “Adobe data breach affects 2.9 million customers”

  1. […] and neither is its extent. A good example of this is the recent Adobe privacy breach which has had far-reaching implications not just for Adobe itself but for users who use a range of other services. This is just not […]

Leave a Reply