Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: FYI - Adobe account compromise
From: Gary Warner <gar () CIS UAB EDU>
Date: Tue, 12 Nov 2013 06:54:09 -0600

Brian, 

True point!  I haven't spent money at Adobe, so wasn't thinking about the fact that many of those accounts *WERE* 
"payment information" accounts.  I honestly hadn't realized that the CREDIT CARD INFORMATION had been leaked.  I 
obviously HAVE the file of the password cryptotext and hints.  I now see at the bottom of the referenced sophos blog 
post:

+++++++++

"There's more to concern youself with.

Adobe also decribed the customer credit card data and other PII (Personally Identifiable Information) that was stolen 
in the same attack as "encrypted.""

+++++++++

So, looking back to Adobe's announcement:

blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html

(begin quote from same)

Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our 
systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe 
customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information 
relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card 
numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as 
with external partners and law enforcement, to address the incident. We’re taking the following steps:

    As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID 
accounts. If your user ID and password were involved, you will receive an email notification from us with information 
on how to change your password. We also recommend that you change your passwords on any website where you may have used 
the same user ID and password.

    We are in the process of notifying customers whose credit or debit card information we believe to be involved in 
the incident. If your information was involved, you will receive a notification letter from us with additional 
information on steps you can take to help protect yourself against potential misuse of personal information about you. 
Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a 
one-year complimentary credit monitoring membership where available.

    We have notified the banks processing customer payments for Adobe, so that they can work with the payment card 
companies and card-issuing banks to help protect customers’ accounts.

    We have contacted federal law enforcement and are assisting in their investigation.

(End Quote)
++++++++++++++++++++++++

Curiously, as you pointed out, the current version of the FAQ still refers to only the 2.9 million customers, despite 
the clear fact that there are tens of millions listed in the data dump we've all seen.  Is it possible that there were 
2.9 million who had shared credit cards and the other "active accounts" were non-Credit Card people?

helpx.adobe.com/x-productkb/policy-pricing/customer-alert.html

(Quoting from same)

What information exactly did the attacker gain access to?

Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our 
systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe 
customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information 
relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card 
numbers from our systems.

We are also investigating the illegal access to source code of numerous Adobe products. Based on our findings to date, 
we are not aware of any specific increased risk to customers as a result of this incident.

(End quote)
++++++++++++++++

Brian Krebs has Adobe confirmation that 38 million "active user accounts" were among that dump.  Adobe's CSO 
acknowledged the source code leak of Cold Fusion and Acrobat code, and thanked Krebs and Holden for their data in this 
post: 

blogs.adobe.com/asset/2013/10/illegal-access-to-adobe-source-code.html

++++++++++++++++

Interestingly, in the Adobe forums, people who used a "unique email" to register their Adobe products have shared that 
those accounts began receiving spam after the breach (including spam containing malware links).  See for example:

forums.adobe.com/message/5813930

It may be interesting for those of us with access to University spam to compare "addresses on the Adobe breach list" to 
those NOT on the list and see if there are any unique campaigns being targeted to the Adobe group...






----------------------------------------------------------

Gary Warner
Director of Research in Computer Forensics
The University of Alabama at Birmingham
Center for Information Assurance and Joint Forensics Research
205.422.2113
gar () cis uab edu

-----------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]