Adobe Hack

[Andrew1]

This is a few days old but I didn't see an existing thread.

http://gigaom.com/2013/10/04/adobe-s...-bad-real-bad/

[Glenn NK]

It's all over the photo forums - not a good omen for Abobe.

What's bothersome, is that potentially credit card numbers, etc. were also involved.

Glenn

[John 2]

According to Adobe, no decrypted credit card data was hacked but if you have an Adobe a/c, now's the time to change your password.

[Glenn NK]

I changed mine.

G

[Brownbear]

What is Adobe a/c... I started changing all my passwords but perhaps there is no need to.

According to Adobe, no decrypted credit card data was hacked but if you have an Adobe a/c, now's the time to change your password.

[James G]

Christina, you might have set up an adobe account when you registered either Lightroom or PSE.

The 'simple' test is did you use your credit card to buy from Adobe via the web?

If so, like me, you will have supplied credit card details.

That said, if you have not received an email from Adobe informing you that your account details may have been hacked you are OK.

I received mine on Friday last, and I changed that password group immediately.

James

[John 2]

Interesting Article. It's worth a read. I have to wonder whether Adobe's recent change to Cloud marketing has in some way facilitated this?

http://www.itproportal.com/2013/10/0...-crown-jewels/

[Colin Southern]

What I'm really hoping for is the successful tracking down and prosecution of these thieves and vandals. If I had my way they'd be locked away for a VERY long time - without computer access - on a diet of bread and water.

[John 2]

Phoned my Credit card provider today. They have an advisory in place and immediately cancelled my card and dispatched a new one FOC.

Colin I'm with you WRT the hackers. It reminded me of a recent UK news item concerning a convicted hacker who quite incredibly was allowed to join a computer class whilst he was in the nick and yes you've guessed, he hacked into the prison's admin computer. The mind boggles.

[Brownbear]

Thank you. Yes, I purchased LR and PSE on-line, and used my credit card. I did receive the email and have changed that password already and will change the rest of my important passwords as many are a variation of that same password.

Christina, you might have set up an adobe account when you registered either Lightroom or PSE.

The 'simple' test is did you use your credit card to buy from Adobe via the web?

If so, like me, you will have supplied credit card details.

That said, if you have not received an email from Adobe informing you that your account details may have been hacked you are OK.

I received mine on Friday last, and I changed that password group immediately.

James

[Glenn NK]

Thank you. Yes, I purchased LR and PSE on-line, and used my credit card. I did receive the email and have changed that password already and will change the rest of my important passwords as many are a variation of that same password.

I used my credit card to purchase all versions of LR from 1.0 to 5, and I am registered as a user.

Although I did not receive a notice from Adobe, I have changed my password.

G

[Glenn NK]

What I'm really hoping for is the successful tracking down and prosecution of these thieves and vandals. If I had my way they'd be locked away for a VERY long time - without computer access - on a diet of bread and water.

What no public lashes and public torture?

Glenn

[James G]

I've had a word with my bank and on the basis that any encryption is at best a delaying tactic I've asked them to reissue my Credit cards and cancel the current cards.

Its a pain, but not worth the risk!

As regards the Hackers.... @#&&s to them, and as my old (irish) granny would have said, "eternal bad cess to them". She did have a way with words

[Colin Southern]

What no public lashes and public torture?

Glenn

Personally - yes - for sure, but last time I suggested that as a punishment for the Boston Bomber I ended up starting a global thermonuclear was with some around here!

[yauman]

As one who worked in IT for the last 30 years and whose butt was on the line if any of institution's servers were hacked, this is quite a serious compromise and I think Adobe is not yet ready to disclose the whole story. It was a sustained hack and they lost some of their source codes - which I find very surprising and which I hope is not true. They obviously need a new IT Security team and look into revamping their whole server security setup. It's just not acceptable for such a big company to be on the receiving end of a "sustained hack" and not find out about it till the hack was successful. There are so many way to prevent or divert these kinds of attacks and I find it quite puzzling how it got by them. Very very disturbing.
http://arstechnica.com/security/2013...-network-hack/

[Colin Southern]

As one who worked in IT for the last 30 years and whose butt was on the line if any of institution's servers were hacked, this is quite a serious compromise and I think Adobe is not yet ready to disclose the whole story. It was a sustained hack and they lost some of their source codes - which I find very surprising and which I hope is not true. They obviously need a new IT Security team and look into revamping their whole server security setup. It's just not acceptable for such a big company to be on the receiving end of a "sustained hack" and not find out about it till the hack was successful. There are so many way to prevent or divert these kinds of attacks and I find it quite puzzling how it got by them. Very very disturbing.
http://arstechnica.com/security/2013...-network-hack/

I too have worked in IT for about the same time - and I'm also answerable if servers get hacked (just as a frame of reference).

I don't necessarily agree with the "need a new security team" part though; Obviously on this occasion the bad guys got the better of them - but what's to say that things would have been any different if this "new security team" had already been in place?

I don't think it's necessarily a valid response to fire someone because of an issue like this any more than it would be to fire Sebastian Vettel just because he didn't win every race; sometimes things happen - and in my opinion - it's more important to look at what happened - how it happened - and how to stop it happening again. Replacing people with a certain track record doesn't guarantee a better result -- it just opens up the potential for a DIFFERENT result (which may be better or it may be worse).

Replacing an existing (and I'm sure very comprehensive) security team with another would probably expose them to even more risk because "the new team" would have zero experience with Adobe, and would be on a very steep learning curve. And just because the bad guys scored a rare win on this occasion doesn't mean to say that the security team are idiots.

[revi]

What I find most surprising is that the intruders got both financial information and source code. I'd expect these to be on different servers with different access privileges,
i.e. even the administrator accounts on one of the servers shouldn't have direct access to the other (and most certainly not the same passwords).

[Colin Southern]

What I find most surprising is that the intruders got both financial information and source code. I'd expect these to be on different servers with different access privileges,
i.e. even the administrator accounts on one of the servers shouldn't have direct access to the other (and most certainly not the same passwords).

Depends a bit on how they did it. I would have thought the same as you, but it is possible that they have trusted internal domains that give domain admins access to other domains. Who knows - they may even have had a bit of "help from the inside".

We'll probably never know. I'll bet their security depts will have been putting in a bit of overtime last week or so though.