Bad to Worse. Update: 38 Million Adobe Users Could Be at Risk of ID Theft in Recent Breach. Photoshop Source Code Also Compromised.
Original reports of the Adobe breach said hackers had stolen approximately 3 million encrypted customer credit card records as well as login data for user accounts. Now, it’s believed at least 38 million users were impacted and massive amounts of source code for the Photoshop family of graphic design products was leaked. Additionally, source code was stolen for Adobe Acrobat and Reader, as well for Adobe’s ColdFusion Web application platform.
Brian Krebs, in KrebsOnSecurity, observed, “It was difficult to fully examine many of the files on the hackers’ server that housed the stolen source (code) because many of the directories were password protected, and Adobe was reluctant to speculate on the number of users potentially impacted.
“…AnonNews.org (which describes itself ‘an independent and uncensored (but moderated) news platform for Anonymous’) posted a huge file called “users.tar.gz” that appears to include more than 150 million username and hashed password pairs taken from Adobe. The 3.8 GB file looks to be the same one (security expert) Alex Holden and I found on the server with the other data stolen from Adobe.”
Adobe spokesperson Heather Edell stated that, “attackers obtained access to Adobe IDs and…encrypted passwords for approximately 38 million active users. We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident—regardless of whether those users are active or not.”
Edell added that Adobe believed hackers also obtained access to many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data.
Krebs noted that among the stolen material was a 2.56 GB-sized file called ph1.tar.gz. While Krebs and Holden were not able to crack the password on the thieves’ server, “AnonNews.org posted a file by the same name and size that was not password protected, and appeared to be source code for Adobe Photoshop.”
Adobe customers, whose encrypted credit card data was stolen, were offered a year’s worth of credit monitoring. In a touch of the ironic, the credit monitoring would be done by Experian, which itself was tricked by a Vietnamese hacker and identity thief into selling consumer records directly to his online identity theft service.
ThreatMetrix secures Web transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.