After initially estimating that a mere 3 million customers had been affected by the security breach it announced at the start of October, Adobe on Wednesday admitted that the actual number now looks to be closer to an eye-popping 38 million. In addition, the breach seems to be more far-reaching than initially thought, extending to the Photoshop family of products as well.
In its original announcement, Adobe said hackers stole 3 million encrypted customer credit card records and login data for Adobe user accounts. This past weekend, however, AnonNews.org posted a file that appears to include more than 150 million username and hashed password pairs taken from Adobe, according to Krebs on Security.
So far, Adobe’s investigation has confirmed that the attackers obtained access to Adobe IDs and what were at the time valid, encrypted passwords for approximately 38 million active users, the company said in a statement provided to the E-Commerce Times by spokesperson Marissa Hopkins.
“We have completed email notification of these users,” Adobe said. “We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident — regardless of whether those users are active or not.”
Adobe believes the attackers obtained access to many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data as well, the company added: “We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident. Our notification to inactive users is ongoing.”
There’s no indication so far, however, that there has been unauthorized activity on any Adobe ID account involved in the incident, the company pointed out.
As with most security hacks, information is limited and experts are left filling in the blanks with speculation. For example, there is the question of how one breach could encompass so many people.
“We often become numb to the numbers when discussing breaches, but 38 million is a vastly different scale of breach — it’s massive,” Tim Erlin, director of IT risk and security strategy at Tripwire, told TechNewsWorld. “It surpasses last year’s 24 million record Zappos breach and will undoubtedly cost Adobe tens of millions of dollars.
“As more information about the attack vector and details emerges, we’ll be able to understand what Adobe might have done to prevent this compromise,” Erlin added.
A breach of this size doesn’t happen overnight, noted Craig Young, also a security researcher with Tripwire.
“Clearly, attackers were on Adobe’s networks for a prolonged period of time without being detected,” Young told TechNewsWorld. “In fact, the attacks were only brought to light when researchers found Adobe’s data on a server used by organized cybercriminals.”
Very likely, the hackers attacked an account management server that contained most if not all Adobe accounts, suggested Dodi Glenn, a security researcher with ThreatTrack Security.
Adobe has acknowledged publicly that the breach was possible in part due to server-side accessibility and consolidation of security credentials, noted Lockbox CEO Peter Long.
If nothing else, what this breach has served to highlight “is that a strategy of attempting to secure the infrastructure ultimately can be overwhelmed by a consistent and focused attack,” Long told TechNewsWorld.
‘Should Have Been Prevented’
Given the magnitude of the numbers involved, it is fair to rethink Adobe’s after-the-fact approach to the breach.
When it was first revealed, Adobe apologized and offered free yearlong credit monitoring for affected customers. It also made sure the passwords were encrypted and issued a password reset for the accounts that were compromised, Glenn told TechNewsWorld — all to the good.
However, “the damage is already done,” he added. “The leak occurred, and should have been prevented in the first place.”
Where Adobe’s response could stand improvement is in providing more transparency about what happened, he concluded, “instead of letting people and security groups speculate.”