Adobe hack much worse than previously thought (x2)

Have to say that I must have my head in the sand... This thread is the first I've heard about this hack!Only signed up with CreativeCloud last week as well :-(

Time for a password change & to monitor the bank account...
 
The hack was a couple of weeks ago, so you're probably safe :D
 
Oh my word I have only just heard about this I have just been to my account and discovered my account details had altered. So I have had to change stuff and changed my password. Shocking that this could happen in the first place just goes to show that nowhere on the internet is safe.
 
The list of stolen details has actually been leaked/published. To be honest... if the top 100 are anything to go by, Adobe being hacked is the least of their worries. Seriously... some people DESERVE to be hacked.

http://stricture-group.com/files/adobe-top100.txt
 
digitalfailure said:
The hack was a couple of weeks ago, so you're probably safe :D
Click to expand...

Longer than that, Brian. Adobe announced over 5 weeks ago that they had "discovered" the hack during one of their routine security checks. They are not at all specific about exactly when it happened. I'll not be surprised if they have not got a clue.
 
arclight said:
Longer than that, Brian. Adobe announced over 5 weeks ago that they had "discovered" the hack during one of their routine security checks. They are not at all specific about exactly when it happened. I'll not be surprised if they have not got a clue.
Click to expand...

This is the worry, rather woeful at best. Serves as a timely reminder to ensure that passwords are unique and individual to each application/site.
 
srichards said:
Adobe need prosecuting for this. Big fine and a serious kick up the backside. Its unacceptable.
Click to expand...

I agree that the situation is unacceptable. I disagree that it is Adobe's fault. Their system was hacked. I'm pretty certain that they will have had the best security and encryption, but as the hacking of the US Dept of defences by a British amateur shows, you can have the best security possible, and still have it hacked.

It's like blaming Ford when some idiot in an Escort causes an accident by reckless driving!
 
DazJW said:
It's not their fault that they were hacked but it is their fault that they were storing sensitive information with such a poor level of security.
Click to expand...

Do you know, and do you have any empirical evidence that their security was poor, or is your evidence anecdotal??

Look at all the governmental departments, banks, and similar such organisations who have been hacked.

There will always be someone prepared to try to hack any sort of protection, and they often get lucky. I don't think that any computer system is 100% safe from hacking.

Doug
 
dougdarter said:
Do you know, and do you have any empirical evidence that their security was poor
Click to expand...
I linked to an analysis in the first post of the thread.

DazJW said:
...to make matters worse it's stored in a very alarming way - including passwords in poor, repeated encryption and password hints in plain text (Source)...
Click to expand...

For clarity I'm not blaming them for the people getting in, I'm blaming them for not using better encryption on the actual data itself.
 
Last edited:
Adobe held, and had stolen, millions of credit card details (mine included) for customers who had made a one off purchase. There is absolutely no good reason to hold card details for customers who only make standalone payments now and again or only once as in my case. They are not the only outfit who do that, but many don't because it is bad security practice as it does present an entirely avoidable risk - what is not stored cannot cannot be stolen.

They don't even offer the facility for customers to delete card details after a purchase (as Amazon do).
 
dougdarter said:
I agree that the situation is unacceptable. I disagree that it is Adobe's fault. Their system was hacked. I'm pretty certain that they will have had the best security and encryption, but as the hacking of the US Dept of defences by a British amateur shows, you can have the best security possible, and still have it hacked.

It's like blaming Ford when some idiot in an Escort causes an accident by reckless driving!
Click to expand...


Read the security reports, their security model was woeful. They encrypted large numbers of passwords without hashing and salting. They allowed members to have a password hint contain the password they were hinting at.

http://nakedsecurity.sophos.com/201...ter-adobes-giant-sized-cryptographic-blunder/


It was a disaster of there own making.
 
dougdarter said:
I agree that the situation is unacceptable. I disagree that it is Adobe's fault. Their system was hacked. I'm pretty certain that they will have had the best security and encryption, but as the hacking of the US Dept of defences by a British amateur shows, you can have the best security possible, and still have it hacked.

It's like blaming Ford when some idiot in an Escort causes an accident by reckless driving!
Click to expand...


Read the security reports, their security model was woeful. They encrypted large numbers of passwords without hashing and salting. They allowed members to have a password hint contain the password they were hinting at.

http://nakedsecurity.sophos.com/201...ter-adobes-giant-sized-cryptographic-blunder/


It was a disaster of there own making.
 
arclight said:
Longer than that, Brian. Adobe announced over 5 weeks ago that they had "discovered" the hack during one of their routine security checks. They are not at all specific about exactly when it happened. I'll not be surprised if they have not got a clue.
Click to expand...
Actually the hack took place in mid august...

And you can't really copy, look at or do anything at all with any files on a server without it being logged... so Adobe knows exactly, what happened.


Some interesting facts re. passwords in this thread http://www.talkphotography.co.uk/th...u-rlyeh-wgahnagl-fhtagn1-safe-pasword.511223/
 
Jan K. said:
Actually the hack took place in mid august...

And you can't really copy, look at or do anything at all with any files on a server without it being logged... so Adobe knows exactly, what happened.


Some interesting facts re. passwords in this thread http://www.talkphotography.co.uk/th...u-rlyeh-wgahnagl-fhtagn1-safe-pasword.511223/
Click to expand...

Yes, and it was in mid September that Adobe were investigating it, but not until into October that they though to go public. I'll not be trusting them ever again.
 
Just checked lastpass. Only one other person using my password.
And it turns out that other person was me, with my other email address. When I thought I had registered and knew what my password was... but not my login!

Not bad...
 
Okay, just back from LuLa...

Quite some time ago I spent a couple of days trying to get Adobe to remove my account... at first they were stunned, that I would really leave, but finally after getting two different supporters to look into the "case", they confirmed, that my account would be deleted...

Today there's a warning thread over at LuLa http://www.luminous-landscape.com/forum/index.php?topic=84056.0 ... and I tried the link https://lucb1e.com/credgrep/

And my acount is not deleted. Email is freely available everywhere now.


Just bloody great. And exactly what I expected from Adobe...
nono.gif
 
i'm a night driver and at 01.45 this morning i received an e-mail from>>>"lookout" they want my adobe details think i'll give them a miss :boxer: were only trying to help you secure your adobe account it said.
 
Last edited:
Jan K. said:
Today there's a warning thread over at LuLa http://www.luminous-landscape.com/forum/index.php?topic=84056.0 ... and I tried the link https://lucb1e.com/credgrep/

And my acount is not deleted. Email is freely available everywhere now.


Just bloody great. And exactly what I expected from Adobe...
nono.gif
Click to expand...

But you are happy to add your details to a list where they have this as the disclaimer?

"How can you know this is safe, and that I will not just collect and sell your email addresses? The truth is, you can't. The only thing you can do to prevent this is entering a partial email address, or just download the file yourself*."
 
This morning I received a letter from Adobe re the loss of customer data etc. The letter states that some customer names, card details and encrypted numbers were taken. In addition the hackers (Adobe call them a third party) used Adobe systems to decrypt some card numbers. Adobe goes on to tell me to monitor my account for incidents of fraud and identity theft.

I phoned my card provider who said the card must be treated as compromised. Card company killed it instantly and will issue a new card.
 
arclight said:
This morning I received a letter from Adobe re the loss of customer data etc. The letter states that some customer names, card details and encrypted numbers were taken. In addition the hackers (Adobe call them a third party) used Adobe systems to decrypt some card numbers. Adobe goes on to tell me to monitor my account for incidents of fraud and identity theft.

I phoned my card provider who said the card must be treated as compromised. Card company killed it instantly and will issue a new card.
Click to expand...

I'd have said that was a given, right from the point that we were notified of the hack.
 
graphilly said:
I'd have said that was a given, right from the point that we were notified of the hack.
Click to expand...

Yes, you are right and for Adobe just to tell customers to keep an eye on their statements is damned poor advice.
The bit in their letter about the hackers using Adobe systems to decrypt "some" card numbers is a new development for me (not exactly unexpected, though). Not seen that reported before.
 
There's no point getting a new card and handing it to adobe as it would mean entering new card data into a known to be insecure system.

Unless adobe allows users to remove card data and pay via a third party processor there's no point. I'm not going to risk another card being compromised by giving them more data to get stolen.

They want prosecuting. Its utter incompetence.
 
Last edited:
srichards said:
There's no point getting a new card as it would mean entering new card data into a known to be insecure system.

Unless adobe allows users to remove card data and pay via a third party processor there's no point. I'm not going to risk another card being compromised by giving them more data to get stolen.

They want prosecuting. Its utter incompetence.
Click to expand...

Well for all of the thousands or millions(?) of people that no longer have a need for Adobe to have credit card details then I'd say that it was a good idea to cancel the card that they had on file with Adobe.

I'd also suggest that if you know or suspect that your card has been compromised in any way then you should also cancel your card. I wonder who is responsible for losses in this situation, the person holding the card that knows the details have been compromised or the card company? I guess it changes from country to country.
 
Last edited:
It's totally infuriating.

The card was compromised 2 months ago so any fraud would have already shown up. Adobe have only just been arsed to let people know.

I will be removing my card details from their systems and they'll have to accept another payment method as they are too incompetent to be allowed to retain any payment information of mine.
 
srichards said:
It's totally infuriating.

The card was compromised 2 months ago so any fraud would have already shown up. Adobe have only just been arsed to let people know.

I will be removing my card details from their systems and they'll have to accept another payment method as they are too incompetent to be allowed to retain any payment information of mine.
Click to expand...

What makes you think that, the timescale alone? There is nothing to stop fraud attempts from this data for many months to come. I reckon there will be a high number of people a bit like yourself that have not cancelled their cards as of yet that will continue to ignore the issue. I bet there will be a high number of people that don't even know about it yet for whatever reason.
 
There's no point stealing card data and not using it. If you don't use it then whoever you stole it from will have already noticed and everyone will cancel those cards. You want to steal it and use it asap.

I also notice that people are saying they can't update expired cards at the moment which makes me think that not only have they stolen the old card data they have put in methods to steal all the new card data too!

They also mention identity theft so that the fall out from this is going to last a while which is why it is even more disgusting of adobe not to alert people IMMEDIATELY that data had been stolen. Not weeks and months later.

The card I thought they had used wasn't the one that they had so I have had to cancel it. The one I thought they had expired soon so it would have been replaced in the next few weeks anyway.

Adobe need to make sure there are alternative payment arrangements that don't involve them holding card data. They're too incompetent.
 
srichards said:
There's no point stealing card data and not using it. If you don't use it then whoever you stole it from will have already noticed and everyone will cancel those cards. You want to steal it and use it asap.

I also notice that people are saying they can't update expired cards at the moment which makes me think that not only have they stolen the old card data they have put in methods to steal all the new card data too!

They also mention identity theft so that the fall out from this is going to last a while which is why it is even more disgusting of adobe not to alert people IMMEDIATELY that data had been stolen. Not weeks and months later.

The card I thought they had used wasn't the one that they had so I have had to cancel it. The one I thought they had expired soon so it would have been replaced in the next few weeks anyway.

Adobe need to make sure there are alternative payment arrangements that don't involve them holding card data. They're too incompetent.
Click to expand...

I think you are naive to think like this. That is not always the way it works. In many instances other data is gathered corroborated and collated. Details are checked against credit reports available to them for example and then target specific cards at specific times. This can be months down the line.

I haven't seen the reports of people not able to update expired card data but I know that myself and a few others have done so already and I've had a payment taken from it at the beginning of the month.
 
Last edited:
Got a letter from adobe today informing me that my bank details have probably been leaked and that I should monitor my account for unauthorised activity...

Absolutely disgusting level of security that warrants adobe to suffer legal action in my opinion.
 
If you look on adobe forums there are a couple of people with that card updating issue. It is happening now.
 
srichards said:
There's no point getting a new card as it would mean entering new card data into a known to be insecure system.

Unless adobe allows users to remove card data and pay via a third party processor there's no point. I'm not going to risk another card being compromised by giving them more data to get stolen.

They want prosecuting. Its utter incompetence.
Click to expand...

Don't get that ............. I will get a new card, but no way will I ever trade with Adobe again, therefore Adobe will never get the chance to reveal my card details again. I simply will never trade with them again.
 
I've edited original. I meant there's no point getting a new card and handing it to adobe.
 
You must log in or register to reply here.
Back
Top