Printed from http://www.electronista.com

Adobe drags feet on notifying data theft victims, millions at risk

updated 05:38 pm EST, Mon November 25, 2013

Up to 138 million Adobe CC accounts violated by data breach

Adobe has admitted that it is taking significantly longer than it expected to email all of the customers affected by the epic-scale security breach, with some victims still not being contacted more than 10 weeks after the data theft. Despite discovering the attack on September 17, Adobe did not go public with the information until October 3, with the company still having not informed all affected customers two full months after the breach.

"Email notifications are taking longer than we anticipated," said Adobe spokeswoman Heather Edell. Edell claims that 2.9 million customers with lost financial information have been notified, but declined to number what percentage of the over 30 million have been informed to date.

Circulating on the Internet is a file containing information on 125 million Adobe ID accounts stolen in the attack, along with encrypted passwords, and password hints. Several security firms have evaluated the file and determined it to be genuine. Adobe claims that at least 25 million records have invalid email addresses, with a "large percentage" being fictitious, and configured for one-time use.

The user data taken was described as "many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords and test account data" by Edell. The company is continuing its investigation to determine which service users are affected. Edell claims that the company wasn't aware of unauthorized use of Adobe accounts as a direct result of the attack. "Our investigation is still ongoing," she said. "We anticipate the full investigation will take some time to complete."

The company is also notifying all banks that process customer payments for Adobe of the breach to help protect customer accounts. Federal law enforcement agencies have also been contacted, and Adobe says it is assisting in their investigations. While saying that "cyber attacks are one of the unfortunate realities of doing business today," Adobe Chief Security Officer Brad Arkin said the company "deeply regrets" that the incident occurred, and that "we will work aggressively to prevent these types of events from occurring in the future."



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

  1. jpellino

    Fresh-Faced Recruit

    Joined: 10-29-99

    I still haven't been told by Adobe - I got wind of this by way of an alert form Evernote.

  1. Inkling

    Dedicated MacNNer

    Joined: 07-25-06

    Millions at risk? As the article itself notes, these non-reachable email addresses are invalid IDs, inactive IDs etc. In a sense, this people don't exist. And this story has been all over the tech-news for months. It's not like sending everyone an email matters. I changed my Adobe password as soon as I heard. That's all it takes to make this leak a non-problem. Is there ANY evidence that ANYONE'S financials have leaked? This is a non-story Electronista and MacNN. You're acting like a fifth-rate tabloid run by hysterics. Why not shut up until there is actual harm shown.

  1. Mike Wuerthele

    Managing Editor

    Joined: 07-19-12

    Well, Adobe says that they prioritized informing people who's financial info was stolen, as mentioned in the article (the 2.9 million people with lost financial information), but importantly, still waited at least two weeks to do so after the breach.

    So yes - there has been actual harm shown, and the event was mishandled. You can call it a non-story because you weren't affected, but that doesn't make it so.

  1. pairof9s

    Mac Enthusiast

    Joined: 01-03-08

    I agree, EstaNightshift...Adobe is too large a company and its forums too popular to say this is a trivial event. I'd guess, simply by the ineptness of Adobe first in allowing the security breach and second in poorly handling the crisis management, that their team is spinning this as best as they can by stating "many are invalid".

    Well 100 million out of 125 million and 3 mil out of 30 million still seems like lousy percentages to me!

  1. Inkling

    Dedicated MacNNer

    Joined: 07-25-06

    By "actual harm" I mean actual harm. Two months have passed. Where are the interviews with people who have lost control of their Adobe accounts because their password was decrypted and stolen? Where are the people who had their credit card account looted? I've seen on host of "millions at risk"l stories from the tech-media on this topic. I've not seen a single report of actual harm. It's time to calm down. If you haven't already, change your Adobe password. Then take a deep breath, have a glass of warm milk, and relax.

  1. jreades

    Junior Member

    Joined: 02-02-99

    Inkling, you obviously don't understand what the problem is. No one gives a hoot about the Adobe accounts, because that's not where the problems will show up. The issue is that Adobe screwed up the encryption of user passwords: every user's password is encrypted the same way and the encryption algorithm chosen leaks information about the length of the password. So if I can guess Fred's password correctly, then I know that every *other* password in the database that has the same encrypted output *also* had the same input. They should have been salting the encryption with the username, but they weren't and this runs against known best practice *everywhere*.

    So why does this matter? Because the vast majority of people re-use passwords across multiple web sites. That's why it is so disingenuous of Adobe to say "We're not aware of any problems with our Adobe accounts." No one was worried about Adobe accounts. They are worried about bank accounts. Email accounts. Everything *else*.

    If you have *ever* used the same password that you used with your Adobe account on another service then you don't just have to change your Adobe one, you should change all the others too. Now, assuming you might have re-used the same password once or twice, which accounts do you need to change?

    It's because of this that I started using 1Password.

  1. nouser

    Fresh-Faced Recruit

    Joined: 04-29-12

    For a company the size of Adobe to have allowed the theft of millions of its users account info, credit card data and passwords is bad enough but to sit quietly on this for months is inexcusable, And just what is the number of users affected? First it was 3 million, then it grew to 38 million and now it has mushroomed to over 150 million.

    While inexcusable it is not surprising based on the number of times Adobe has issued patches to its software. It is not hard to come to the conclusion that Adobe just doesn't pay much heed to security.

    No one can say just how many users have suffered or will suffer real harm from this or if that shoe is just about to drop for millions. There is no doubt that hackers and crooks use stolen user data to cause harm to users on a daily basis. Given the size and scope of this theft, you can count on users being affected.

    IMO, Adobe should be forced to set up credit monitoring for all of it's affected users as a preventative measure.

    Now tell me again why I should consider the Adobe Creative Cloud initiative.

  1. elroth

    Junior Member

    Joined: 07-05-06

    @Inkling: that's a pretty weird comment. In the article it says (acording to Adobe) that 25 million of the addresses are outdated or invalid. That leaves 100 million valid addresses at risk.

  1. Grendelmon

    Mac Enthusiast

    Joined: 12-26-07

    Originally Posted by InklingView Post

    Millions at risk? As the article itself notes, these non-reachable email addresses are invalid IDs, inactive IDs etc. In a sense, this people don't exist. And this story has been all over the tech-news for months. It's not like sending everyone an email matters. I changed my Adobe password as soon as I heard. That's all it takes to make this leak a non-problem. Is there ANY evidence that ANYONE'S financials have leaked? This is a non-story Electronista and MacNN. You're acting like a fifth-rate tabloid run by hysterics. Why not shut up until there is actual harm shown.



    Inkling, you are so full of shit.

    A real news article about the breach.

  1. Grendelmon

    Mac Enthusiast

    Joined: 12-26-07

    Originally Posted by InklingView Post

    By "actual harm" I mean actual harm. Two months have passed. Where are the interviews with people who have lost control of their Adobe accounts because their password was decrypted and stolen? Where are the people who had their credit card account looted? I've seen on host of "millions at risk"l stories from the tech-media on this topic. I've not seen a single report of actual harm. It's time to calm down. If you haven't already, change your Adobe password. Then take a deep breath, have a glass of warm milk, and relax.



    Also, some more ramifications...

    Facebook Warns Users After Adobe Breach — Krebs on Security

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Kenu Airframe Plus

Simple, stylish and effective, the Kenu Airframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this y ...

Plantronics Rig Surround 7.1 headset

Trying to capture the true soundscape of video games can be a daunting task. Looking to surround-sound home theater options, users hav ...

Adesso Compagno X Bluetooth keyboard

The shift from typing on physical keyboards to digital versions on smartphones and tablets hasn't been an easy for many consumers. Fro ...

Sponsor

toggle

Most Commented

 
toggle

Popular News