bit-tech.net

Adobe breach leaks source, millions of customers' details

Adobe breach leaks source, millions of customers' details

Adobe's network has been compromised by attackers unknown, resulting in the leaking of payment details on nearly 3 million customers along with product source code.

Software giant Adobe has confirmed that it has suffered a major security breach which has resulted in the loss of personal information relating to nearly three million customers.

The attack, which was confirmed by Adobe late yesterday, resulted in the loss of source code to numerous Adobe products along with customer IDs, passwords, payment card details and other order-related information. While these details are claimed to be encrypted, it's still a wealth of data for the attackers to pore over.

'Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products,' Adobe's chief security officer Brad Arkin explained in a statement to customers and press. 'At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident.'

The company has indicated it has taken the step of resetting all affected customer account passwords, notifying those whose details were stolen by email along with physical letters for those whose payment details were nabbed offering a one-year free credit monitoring service. 'We have contacted federal law enforcement and are assisting in their investigation,' Arkin added.

'We value the trust of our customers,' concluded Arkin. 'We will work aggressively to prevent these types of events from occurring in the future. Again, we deeply regret any inconvenience this may cause you.'

Thus far, the attackers have not been indentified.

24 Comments

Discuss in the forums Reply
Corky42 4th October 2013, 19:28 Quote
Quote:
At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems.

The don't believe ! i would hope they know for certain. And have they just admitted they actually store decrypted credit or debit card numbers on their systems
fix-the-spade 5th October 2013, 02:08 Quote
Welcome to the subscription business model Adobe, with all that comes with it!
Bindibadgi 5th October 2013, 03:17 Quote
As long as all those pirates have been stopped, that's OK, right?

greigaitken 5th October 2013, 10:41 Quote
If a bank stores your stuff and gets robbed, then the bank will pay you the value of stuff they stored unless it goes under.
If companies had to pay a value of compensation when your data gets robbed, i bet they'd think twice about needlessly storing it.
Kovoet 5th October 2013, 10:49 Quote
Quote:
Originally Posted by Bindibadgi
As long as all those pirates have been stopped, that's OK, right?

To true

Sent from my GT-I9505 using Tapatalk 2
Silver51 5th October 2013, 11:55 Quote
I hope they had everything backed up on the cloud.

Oh... wait...
Big Elf 5th October 2013, 14:55 Quote
Yet another large organisation proves it can't be trusted with personal data.
faugusztin 5th October 2013, 15:01 Quote
Quote:
Originally Posted by Corky42
The don't believe ! i would hope they know for certain. And have they just admitted they actually store decrypted credit or debit card numbers on their systems

They have a subscription model. That requires ability to periodically charge fees against your credit card. To do that, they need to have your credit card number. That means the credit card number cannot be hashed, unlike passwords. Credit card number can be encrypted, but to have the ability to use that number for anything the decryption code must be there on the server too. Which means encrypted credit card number is as good as the unencrypted.

In short - everyone who has to charge you more than once must have your credit card number in their system stored, and encrypted/plain text doesn't really matter, because if they breached the system the encryption key is there as well.
RedFlames 5th October 2013, 15:32 Quote
Quote:
Originally Posted by Big Elf
Yet another large organisation proves it can't be trusted with personal data.

Yet more proof that if they want your details badly enough there's not an awful lot you can do about it...

Poke hard enough in the right place and you'l find/make a hole in even the most robust security... Look at what's just happened to Barclays and Santander...
Big Elf 5th October 2013, 15:40 Quote
There's a lot can be done about it but I doubt anyone will have the guts to do it.

For a private organisation hit them hard in 2 places, the pocket i.e. massive fine, head of security fined and/or sacked. Chairman of the board heavily fined.

For a public organisation same thing except no massive fine but multiple sackings.

That might just give them enough incentive to stop it happening again.

Edit: you can't really hold Santander or Barclays up as examples of competent organisations.
Corky42 5th October 2013, 16:16 Quote
Quote:
Originally Posted by faugusztin
In short - everyone who has to charge you more than once must have your credit card number in their system stored, and encrypted/plain text doesn't really matter, because if they breached the system the encryption key is there as well.

Well if a company is doing that i wouldn't trust them with my details.

In the end nothing is %100 secure, but storing credit card details in plain text or on the same system used to decrypt the hashes is asking for trouble. If you needed to go in and out of your house on a regular basis you wouldn't leave your keys in the lock, or under the mat.
faugusztin 5th October 2013, 16:45 Quote
Quote:
Originally Posted by Corky42
Well if a company is doing that i wouldn't trust them with my details.

Means you can never use credit card online, ever. It is irrelevant if it is one same system or other - once you can access the other database (and you need it so users can change their details) via any means, so can the attacker.
Corky42 5th October 2013, 17:12 Quote
Well most of the time i have used a CC online it redirect to another server to authenticate, even when i make regular purchases. Like i said no system is %100 secure, but storing CC details or the hashes on a separate system to the one that authenticates/decrypts those details means you double the chances of spotting that the system has been compromised.
faugusztin 5th October 2013, 17:14 Quote
That doesn't redirect you to another server, but to the payment processor website. That is all good and nice in case you are doing one time payment, but absolutely unusable for recurring payments.
Corky42 5th October 2013, 18:43 Quote
So contrary to you saying "Means you can never use credit card online, ever." you are more secure when being redirected to the payment processors website. Having both the lock and the key on the same system is asking for trouble, its as dumb as keeping the source code for your products on the same system. There are reasons backups are stored of site, if something happens to the main systems you don't risk compromising all your data.

2.9 million peoples personal data has been put at risk by Adobe because they put all their eggs in one basket. Its even more worrying when you learn this actually happened mid-August, and its only when a third party discovered Adobe source code in the wild that they notified people.
faugusztin 5th October 2013, 19:08 Quote
@Corky42: But again, you cannot do it that way for recurring payments. What you describe is good only for one time payments - Creative Cloud is a recurring payment, not one time fee.
gcwebbyuk 5th October 2013, 23:08 Quote
As stated previously though, nothing is 100% secure. So you can take it out on Adobe as much as you like, but at the end of the day, it's the hackers who did this. I was one of the 2.9 million who had their details taken (although I think I am as Adobe have sent me the email). I have changed my password, and will keep an eye on my bank account to see if any payments are taken. If that does ever happen, then I will see what form of compensation is available from Adobe. There really isn't anything else you can do, other than never use your credit card for recurring payments on-line.
Corky42 6th October 2013, 00:59 Quote
@faugusztin, So you are saying they had to keep all the source code, customers personal details, hashed CC details, decryption keys, and login details all on the same network/system ? It doesn't matter if its a one time payment or a recurring payment, you don't keep all your critical data on one system.

Its beyond stupid, anyone with half a brain would segment critical data so if an attack is successful you only compromise part of your data, you also have more chances for any IDS to pick up a compromise.

As i keep saying its not about %100 security, its about delaying and identifying the attack so something can be done about it. Adobe kept everything on one system and they didn't even know they had been hacked for around three weeks.

If they split the critical data across different systems it would have been simple for any IDS to pick up suspicious activity, like the 2.9 million accounts being access all at once, or the 40GB of data download.
gcwebbyuk 6th October 2013, 03:18 Quote
But how do you know that? From a news article? Do you know how their system is setup? Has there been several attacks - to several networks? Unless you have ALL of the facts, you can't really judge - can you?
faugusztin 6th October 2013, 07:03 Quote
Quote:
Originally Posted by Corky42
@faugusztin, So you are saying they had to keep all the source code, customers personal details, hashed CC details, decryption keys, and login details all on the same network/system ? It doesn't matter if its a one time payment or a recurring payment, you don't keep all your critical data on one system.

I don't talk about the source code, that is a separate question. But for the rest :
1) credit card data CANNOT be hashed. Hashing is a one way function, data cannot be restored from hash. Hashing is useless for anything else but passwords in this context.
2) if credit card data was encrypted, then to be able to show/edit credit card information to users via website it has to have access to the credit card information, and have access to decryption keys. And because that key has to be part of the website, it is pretty much useless, unless we talk about database-only hack, which is not what happened here, as this one looks like complete hack including internal systems.
Corky42 6th October 2013, 08:07 Quote
Maybe i cant judge, but i can form an opinion based on what is known.

This attack happened in mid-August (6-8 weeks ago), Adobe has been working on an investigation into a potentially broad-ranging breach into its networks since Sept. 17 (2-3 weeks ago), Customers only received notification this week. They have only bothered to notify their customers because a third party discovery 40GB of Adobe source code out in the wild
http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
Quote:
Adobe believes the attackers stole credit card and other data on approximately 2.9 million customers, and that the bad guys also accessed an as-yet-undetermined number of user names and passwords that customers use to access various parts of the Adobe customer network.
It believes but doesn't have actual proof in the form of logs and such, it doesn't even know how many user names and passwords have been compromised
Quote:
Adobe said the credit card numbers were encrypted and that the company does not believe decrypted credit card numbers left its network.
Again we are told it believes (meaning without absolute proof)
Quote:
Arkin said the company has not yet determined whether the servers that were breached were running ColdFusion, but acknowledged that the attackers appear to have gotten their foot in the door through “some type of out-of-date” software.
Adobe’s Chief Security Officer Brad Arkin doesn't even know what software the servers he is responsible for are running and also runs out-of-date software.
You are free to form you own opinion on how Adobe has put millions of people at risk based on the facts we do have, but i think its safe to say the information we do have doesn't paint a pretty picture of Adobes so called security.

@faugusztin, We both seem to have conflated hashes with encryption, when it is more than likely Adobe used a block cipher (A block cipher is reversible: if you know the key)
gcwebbyuk 6th October 2013, 10:51 Quote
So how do Adobe compare to other companies that we trust our data with?

News articles can be easily written to make a situation sound good or bad.

I agree, it doesn't sound great that Adobe chose to leave this from the public eye for so long. I would expect the reason for this to come out at some point soon, there will be someone somewhere who is willing to explain - although again, by that time Adobe could have written some spin to put on it.

Bottom line is that data is never really safe. You gotta make the most of a bad situation - bit like life really...
Corky42 6th October 2013, 12:13 Quote
Quote:
Originally Posted by gcwebbyuk
So how do Adobe compare to other companies that we trust our data with?
Well Sony got fined £250k when the PSN got hacked, and you only have to look at the fines issued by the ICO to see the problem is very bad.

2010 - 2 fines totalling £160,000
2011 - 7 fines totalling £541,100
2012 - 17 fines totalling £2,143,000

Yet company's keep insisting the cloud and subscription based services are the way of the future.
Quote:
Originally Posted by gcwebbyuk
News articles can be easily written to make a situation sound good or bad.
Yes news articles can be written with bias, but when it uses quotes and confirmations from an interview you tend to take them on face value.
Quote:
Originally Posted by gcwebbyuk
Bottom line is that data is never really safe. You gotta make the most of a bad situation - bit like life really...
Yes data is never really safe its all a matter of degrees, but you would expect a third party to take the same or better security measures than you do. If i had the slightest suspicion of a data breach i would act immediately to change passwords or cancel CC's
monkiboi 6th October 2013, 13:08 Quote
Quote:
Originally Posted by faugusztin

1) credit card data CANNOT be hashed. Hashing is a one way function, data cannot be restored from hash. Hashing is useless for anything else but passwords in this context.
2) if credit card data was encrypted, then to be able to show/edit credit card information to users via website it has to have access to the credit card information, and have access to decryption keys. And because that key has to be part of the website, it is pretty much useless, unless we talk about database-only hack, which is not what happened here, as this one looks like complete hack including internal systems.

I just want to extend a little on what Faugusztin is saying in point 1, for those who are still not following.

When you first sign up for a service and enter a password this password is put through a hashing algorithm (there are many to choose from), which returns a random string of characters, which is then stored as your password in the database. Now you cannot reverse engineer this which is why, if you forget your password you have to reset it.

You can increase the security further by adding in what's called a 'salt', which adds a string of characters to you password and then hashes it.

Now, the hashing is consistent in that the same password you enter whenever you log in will always produce the same hashed string, as long as the same algorithm is used, so you log in, your password is hashed and then compared to the hashed password in the database. If they match you're then logged in.

Obviously, this won't work for credit card details as the company providing the service to you needs to present those card details to the bank for every recurring payment and if it was hashed they couldn't retrieve those numbers. You could potentially do it if the bank used the same hashing and salt as the vendor but then the bank opens itself up to huge security risks.

Banks also demand what's called PCI compliance from anyone using their services for online payments, which dictate how customer details are stored and the security measures you need for compliance but that's not really relevant here.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums