back to article Adobe hit by 'sophisticated' mega hack ransack

Adobe's systems have been hit by numerous "sophisticated attacks" that have compromised the information of 2.9 million customers, and accessed the source code of Adobe products. The company said on Thursday that it has been the victim of a major cyberattack and said hackers had accessed those millions of customer IDs and …

COMMENTS

This topic is closed for new posts.
  1. asdf

    Shock

    What a surprise. And here it looked like Adobe was starting to relax because Oracle has taken over their place as the biggest pariah security wise in the industry.

    1. danR2

      Re: Shock

      With all the constant 'security' and other updates Adobe pesters me for free Reader, it's not shock to me. Since Reader is the only point for their existence for the vast majority of people (I use Gimp for example), why don't they just abandon all their other junk, and do ONE job right?

      1. BristolBachelor Gold badge

        Re: Shock @danR2

        NO NO NO NO!

        There are plenty of alternatives to Reader; even to the full fat Acrobat Pro. What's more, almost all of them are better! I'd be happy for Adobe to drop it like a hot potato.

        What they should carry on with is CS which doesn't have an equivalent, but unfortanely they dropped like a hot potato :(

    2. Anonymous Coward
      Anonymous Coward

      Re: Shock

      Adobe websites all use Linux of course....The only thing on the planet with more vulnerabilities than Adobe's own products...

      1. Anonymous Coward
        Anonymous Coward

        Re: Shock

        erm... http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/ #justsayin

  2. TaabuTheCat

    This will end well.

    All those security issues in Acrobat that Adobe couldn't be bothered to find? I think that problem's just been solved. Unfortunately, not by Adobe.

  3. Anomalous Cowturd
    Coat

    Perhaps it's those nice "white hat hackers"...

    And now they've got the source code, they're going to do the job properly for Adobe.

    In my dreams. ;o)

    1. Steven Raith

      Re: Perhaps it's those nice "white hat hackers"...

      I thought pretty much the same thing.

      One of my Very Favourite Websites/forums runs ColdFusion, and it's perpetually broken.

      Maybe the hackers can fork it, eh?

      1. Ol'Peculier

        Re: Perhaps it's those nice "white hat hackers"...

        And why exactly is that the fault of Adove?

        I'd take a look at those developing, maintaining and hosting the site first, not the platform it was built on.

        For what it's worth, I look after a very busy CF powered ecommerce site and the only downtime we get is after Patch Tuesday's.

        1. Anonymous Coward
          Anonymous Coward

          Re: Perhaps it's those nice "white hat hackers"...

          People like to forget inconvenient facts. It doesn't matter if you're running Apache, Nginx, IIS, Cold Fusion, Tomcat, whatever, if you don't keep up with security updates you're just asking for a good reaming.

    2. itzman

      Re: Perhaps it's those nice "white hat hackers"...

      I was think the opposite: now they have the adobe source code they know how to make the worst virus teh world has ever seen. Adobe software.

      1. Jellied Eel Silver badge

        Re: Perhaps it's those nice "white hat hackers"...

        Hope so.

        <opens process list>

        armsvc.exe

        Yup, I'm still infected. Hopefully the hackers will make a patch to kill herpes-like Adobe TSR processes.

  4. Anonymous Coward
    Anonymous Coward

    All those new Creative Cloud customers caught out then?

    Can't be good for customer confidence!

    1. ecofeco Silver badge

      Re: All those new Creative Cloud customers caught out then?

      You beat me to it.

      Time for someone to create a replacement for CS.

  5. M Gale

    Obviously if you've bought Adobe's products as a disk from a shop and paid cash for them, you won't be affected.

    OH, WAIT.

  6. Anonymous Coward
    Anonymous Coward

    Hold Security guilty of hacking

    "Security firm Hold Security claims to have found 40 gigabytes in encrypted archives on a hacker's server, apparently containing source code on some of Adobe's biggest products."

    And how, pray tell, did Hold Security gain access to the hacker's server in order to find the encrypted archives?

    I must be the only person adding 2+2 together: 'encrypted third-party server was found to have data, says Hold Security'.

    No red flags raised? Hmmm. Yep yep: hacking is OK if *we* do it, just not the other way around.

  7. Captain DaFt

    "We are not aware of any zero-day exploits targeting any Adobe products."

    Have you tried looking?

    1. Crisp

      Re: "We are not aware of any zero-day exploits targeting any Adobe products."

      Why would they be looking? That's a foolhardy course of action!

      If you go around looking for 0-day exploits and find them, then you have a responsibility to fix them!

    2. chris lively

      Re: "We are not aware of any zero-day exploits targeting any Adobe products."

      Two ways to look at this: If they knew of the exploits, they wouldn't be zero day; or, they are simply lying. My money is on the latter. I don't trust adobe at all. Products are crap, documentation is crap, support is crap.

  8. Anonymous Coward
    Go

    Open Source

    Adobe have now released their software as open source. Not sure what sort of license it has now but it should ensure quite a few holes are plugged rather quickly.

    Trebles all 'round.

    Cheers

    Jon

    1. Mephistro
      Angel

      Re: Open Source

      "...it should ensure quite a few holes are plugged rather quickly."

      I find your remark extremely distasteful!

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: Open Source

        Re: Open Source

        "...it should ensure quite a few holes are plugged rather quickly."

        I find your remark extremely distasteful!

        Let's leave Miley out of this :)

    2. Christian Berger

      Re: Open Source

      That's actually not open source, but selective opening to the source. That's the worst way to do it. It allows malevolent people to get the source code to find bugs they will just exploit for their own gains, while it doesn't allow benevolent people to search for bugs to report to the public so they get fixed.

  9. bigtimehustler

    Errrm, is it just me or is it slightly strange they are asking people to change their passwords on other services? The passwords were properly salted were they not? The salt used hasn't be compromised as well has it?

    1. This post has been deleted by its author

    2. cyrus

      Re:

      One should never use the same password in more than one place. Ideally all of your passwords would be different.

      Given the ease with which weak passwords can be cracked, Adobe are warning folks not only to change their Adobe passwords, but also the passwords of any other services that happen to use the same passwords. Because entire user profiles were lifted (apparently), there is a good chance that if the data were decrypted, it could be used to leverage an attack against a users bank account, for example.

      1. bep

        Good advice except that it's impossible

        Every blinkin' website, including this one, requires you to register in order to comment, not to mention banks, software suppliers like Adobe etc etc. How are you supposed to remember all these passwords? OK, you put them in a password manager program. How do you secure that? Another password you have to remember. You're supposed to change that regularly of course, but it still has to be something that is a) hard to crack, but b)easy (or at least possible) to remember. If that gets cracked, they get everything. It's still better than nothing, but suggesting there is a security process that works reliably is highly misleading.

        1. Mark Simon

          Re: Good advice except that it's impossible — Not Quote Impossible

          The difference is that you don’t normally publish your password safe on the Internet, and so it’s less likely to be compromised. A reasonably good password on your own machine should be reliable.

          The real problem is when you entrust your passwords to others who can’t or won’t look after them properly.

          1. Ben Tasker

            Re: Good advice except that it's impossible — Not Quote Impossible

            The real problem is when you entrust your passwords to others who can’t or won’t look after them properly.

            The worst thing is there's no way to know upfront whether they will (or are capable of).

            How many sites do you register a nice strong password for only to find it instantly compromised because they've included it in the signup email? Let alone those stupid enough to still be storing plaintext.

        2. Ben Tasker

          Re: Good advice except that it's impossible

          OK, you put them in a password manager program. How do you secure that?

          Set a random 20 char password, buy yourself a Yubikey and configure that to send the password for you, assuming you're not using a service that works with the OTP functionality. Works on any machine as it's basically a USB keyboard as far as the OS knows.

          It's still not ideal, but it beats whining about how hard it is to maintain security on the accounts that you should want to protect.

          1. Tascam Holiday
            Thumb Up

            Re: Good advice except that it's impossible

            Set a random 20 char password, buy yourself a Yubikey and configure that to send the password for you, assuming you're not using a service that works with the OTP functionality. Works on any machine as it's basically a USB keyboard as far as the OS knows.

            Yep, something like LastPass will work across all major browsers and devices. Use two-factor where possible with a Yubikey or Google Authenticator - LastPass, Facebook, Google, Dropbox, Evernote accounts at least can all be made more secure this way.

            I use LastPass and have it automatically generate 20 character random passwords for every site I need to log into. I don't even know the passwords myself in most cases so even hammer decryption won't work on me.

            Nonetheless although we can do everything possible to be secure we'll always be at the mercy of the likes of Adobe clowns who are able to get my credit card details hacked. Changing my password for my Adobe account is no big deal, but changing my card is a PITA.

        3. JLV

          Re: Good advice except that it's impossible

          >How are you supposed to remember all these passwords?

          You don't. You re-use the same dumb, easily remembered and typed, password for the 50 dumb sites that are just registration-happy. If it doesn't have your CC# number and real email or some relevant s**t, why are you bothering with security on it? Do make a supreme effort and avoid 12345 tho ;-)

          Then, on the other 10-20 sites that matter (CC# for example), you use secure passwords, all different from each other, and put them into a password manager. Of course, you never re-use passwords anywhere where it would matter. You memorize your password mgr password and maybe some other key passwords.

          Facebook? Pretty useless, but a hit to your reputation if racist propaganda appears posted under your name. So you give it a big-boy password. Ditto LinkedIn. Not the Reg.

          When the passwords get hacked on one of the 50 trivial sites, you can run off and change them, if you want, on the others. I know my Reg pwd remained the same after the PS3 hack.

        4. Anonymous Coward
          Anonymous Coward

          Re: Good advice except that it's impossible

          Write them down.

          I have a book of passwords that lives in my house with a page for every website or service.

          The likelihood that someone is going to steal a small notebook with handwriting in it is almost zero... even when i carry it around...

          It may sound crazy but actually physical access to me and my computer is probably the biggest barrier to a hacker.

  10. Anonymous Coward
    Anonymous Coward

    Serves the bastards right

    I've uninstalled enough of their parasiteware distributed with the Flash player and PDF Reader. Scumbags

    1. Tree
      Unhappy

      Re: Serves the bastards right

      Such BLOATWARE that no we longer use Adobe Acrobat Reader, thank God. They want to track us with flasn cookies, though. Is that a threat to my privacy or not? Using NoScript helps, but I'm afraid. Idiots!

  11. Chairo
    Devil

    Surprise surprise

    When I first heard about "creative cloud", I wondered who would trust Adobe enough to give them their personal information. Turns out that at least 2.9 million people did so. - That is the only surprise here in my opinion.

    1. Anonymous Coward
      Anonymous Coward

      Re: Surprise surprise

      Actually I'm surprised it's so low. There must be more than 2.9m people who are printers, commercial artists etc. who are - unfortunately - dependent on Adobe's products for their livelihood. They were all pretty pissed when Adobe announced the creative cloud shit and now they're likely to pay the price. If the hackers have any decency, they'll not exploit details other than to force Adobe to go back to selling boxed product. Some dream though.

  12. Potemkine Silver badge

    At first

    Why do they keep credit card numbers stored somewhere? Such a thing should be made illegal, and it would solve many problems...

    1. localzuk Silver badge

      Re: At first

      How else would they do monthly charges to people easily without having to figure out every country's banking system?

      1. Woodgar

        Re: At first

        You use a payment provider, and let them sort it out.

        We handle thousands of transactions a day, many of them recurring payments, and yet we don't store a single credit card number, encrypted or otherwise.

        What we do store is a token that we pass to our payment provider that lets them know who to charge etc. Even if you got hold of the tokens it would do you no good, as the tokens are unique to our account, can only be used in conjunction with out account details, and will only be processed if the transaction originates on our IP.

        1. Anonymous Coward
          Anonymous Coward

          Re: At first

          You're an idiot. All this does is move the risk, it doesn't eliminate it. It doesn't really lower it either.

          1. Brenda McViking

            Re: At first

            Of course it lowers the risk - you hand the sensitive data to a company whose only vested interest is to protect it - it's their job, and if they have a breach then they're going to be finished. As it's their vested interest, they'll spend far more time and money making things secure, and economies of scale mean you'll get a vastly superior offering to doing it yourself.

            Otherwise what we'll end up with is every Tom, Dick and Muhammad Retail Ltd kludging together a badly implemented payment system which they don't understand and have no interest in keeping secure - they sell you their wares, not payment security. So long as it works and does the bare minimum, they're not going to improve it - they have their vested interests elsewhere.

    2. Andy 66

      Re: At first

      I recently purchased an iphone for the first time in an Apple Store (regent st - first time in apple store, not iphone purchase). The only ever other time I've purchased an Apple product with my existing card is on the Apple.fr website last year for my wife's iphone.

      Fanboi jokes aside, I was shocked that the salesfloor dear, after she swiped my card she asked if I'd like my receipt to my email (she had the correct email) and made a remark about the fact I had purchased 2 iphones in 1 yr that showed she had my purchase history on that shitty handheld terminal, after only a swipe of my cc.

      Does make one wonder how they are hashing stored ccards to be able to easily index it to an account and it's purchases, as well as how that damn terminal can wirelessly take my swiped cc and access all that info in a secure manner.

  13. Anonymous Coward
    Joke

    Adobe Cloud

    Welcome to Adobe Cloud where every user must give us credit card details and the we let hackers steal them. It's called Cloud Collaboration

    .

    1. Anonymous Coward
      Anonymous Coward

      Re: Adobe Cloud

      Isn't that a nasty new twist on 'crowd sourcing' ...?

  14. Velv

    Wouldn't it be wonderfully blissful if the attackers breached Adobe through a published flaw in an Adobe product.

    At least I know my details haven't been stolen from Adobe's servers. I've always got my Adobe products from BitTorrent (JOKE!, I wouldn't touch Adobe products with a barge pole)

  15. John Bond

    Creative Cloud protest petition

    Not everyone who has signed up to CC has done so willingly. With limited time discount offers, Adobe has effectively forced many customers into signing up now - against their will - rather than risk getting left behind with outdated software. Many subscribers would, I'm sure, leap at the chance to return to boxed products, if only Adobe would reinstate them. This debacle only reinforces the case for customers to be given that option.

    There's an online petition here, in case anyone wants to add their voice:

    https://www.change.org/petitions/adobe-systems-incorporated-eliminate-the-mandatory-creative-cloud-subscription-model

  16. Stevie

    Bah!

    I think the offering of credit checking may be a legal requirement.

    Three times in the past dimwit banks holding my mortgage have "lost" tapes containing ID theft information, carefully collected to be logically adjacent and mightily encrypted as ECIDIC. Said banks were reassuringly positive that "no one could read the tapes in question" and that they were thinking of encrypting the information more robustly some time real soon now (apparently the thought that getting hold of a reel-to-reel tape deck and the equipment to drive it might be trivially easy, especially for people who keep "finding" these "lost" tape reels has not found popular acceptance with banking IT).

    And each time I got a year of credit checking out of it. Since banks never give anything away in the US for free I have to think there was some piece of needless left-wing liberal legislation forcing their hands.

  17. xyz Silver badge

    bugger!

    I had to buy a font from Adobe a few months back. At the time I thought their whole online purchasing "system" was a joke from the mid 1990s and hey guess what...it is. I am now in receipt of an Adobe "Dear John" email. The "you're shafted" email only mentions checking your credit card statements, there's nothing about the "complimentary" ass saving checks that the press seems to have been spun.

    First and last time I go near that bunch of twats

    1. Stevie
      Trollface

      Re: bugger!

      Not so. I predict "you" will make several more purchases of their most expensive software, along with sundry computer hardware from a variety of web-hosted vendors.

  18. Ant Evans
    Joke

    Adobe is seeking to reassure users.

    "We are not aware of any zero-day exploits targeting any Adobe products."

  19. peter 45

    Perhaps

    They should have downloaded that server software update..........again.........and again.........and again

  20. Mark 15

    Unwanted download

    When this broke, I already had the email from Adobe and decided to do a quick PW change and check the details. Having been through a process of updating PWs the week before and renewing many, I was confident that we had done what would could - very little in my control, thanks Adobe.

    On signing in to my Adobe account, a download diaglogue box opened up. I cancelled and backed out immediately. I didn't note the name of the file other than it being something like templatefile but with an exe extension. Nothing was downloaded - close shave.

    I checked again today and didn't get this and so assume Adobe has cleaned this up. Anyone else had similar?

This topic is closed for new posts.

Other stories you might like