# Adobe site hacked and credit card/personal info compromised



## DianeK (Oct 4, 2013)

This was just posted about an hour ago: http://www.macrumors.com/2013/10/03/adobe-hacked-2-9-million-customer-accounts-compromised/


----------



## Replytoken (Oct 4, 2013)

DPR now has it on their web site as well:  http://www.dpreview.com/news/2013/1...ource=news-list&utm_medium=text&ref=title_0_2.  It will be interesting to see how Adobe handles damage control on this one.

--Ken


----------



## DianeK (Oct 4, 2013)

I have yet to receive a notification email from Adobe that my account was one of the compromised ones, but I went in and changed my password anyway.  I wonder if Adobe was targeted because of their new subscription service with millions of credit card numbers now on file for monthly payments.
Diane


----------



## jid9p80vph (Oct 4, 2013)

I received a notification about 5 hours ago...


----------



## Victoria Bampton (Oct 4, 2013)

I haven't received an email either, but I think changing passwords is good common sense.  The reality is, every big company is a target these days, and all we can do is use sensible precautions like not using the same password on multiple sites and always using credit cards online which offers additional protection.


----------



## Victoria Bampton (Oct 4, 2013)

There's a more helpful page here, including how to change your password: http://helpx.adobe.com/x-productkb/policy-pricing/customer-alert.html

They said:


> [h=3]What information exactly did the attacker gain access to?[/h]Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems.
> We are also investigating the illegal access to source code of numerous Adobe products. *Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident*.


----------



## GDRoth (Oct 4, 2013)

I received the email and initially thought it was a pfishing email since the Adobe notification stated that they had changed my password and to click a link within the email to enter a new password.  Instead of doing that, I went to adobe.com and put in my old password and it worked. 

So why did they tell me they'd changed my password?

I went ahead and changed my password, but still wonder if this was real or pfish...........
Dave


----------



## jid9p80vph (Oct 4, 2013)

GDRoth said:


> I received the email and initially thought it was a pfishing email since the Adobe notification stated that they had changed my password and to click a link within the email to enter a new password.  Instead of doing that, I went to adobe.com and put in my old password and it worked.


That's odd, I was immediately prompted to change my password... Anyway, this is the official Adobe notification, as far as I can tell:

_*Important Customer Security Alert*
To view this message in a language other than English, please click here. 

We recently discovered that attackers illegally entered our network. The attackers may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorized activity on your account. If you have placed an order with us, information such as your name, encrypted payment card number, and card expiration date also may have been accessed. We do not believe any decrypted card numbers were removed from our systems. 

To prevent unauthorized access to your account, we have reset your password. Please visit www.adobe.com/go/passwordreset to create a new password. We recommend that you also change your password on any website where you use the same user ID or password. As always, please be cautious when responding to any email seeking your personal information. 

We also recommend that you monitor your account for incidents of fraud and identity theft, including regularly reviewing your account statements and monitoring credit reports. If you discover any suspicious or unusual activity on your account or suspect identity theft or fraud, you should report it immediately to your bank. You will be receiving a letter from us shortly that provides more information on this matter. 

We deeply regret any inconvenience this may cause you. We value the trust of our customers and we will work aggressively to prevent these types of events from occurring in the future. If you have questions, you can learn more by visiting our Customer Alert page, which you will find here. 


Adobe Customer Care _​


----------



## sizzlingbadger (Oct 4, 2013)

My Pay-Pal account was hacked recently, with same email / password as my Adobe account, a coincidence ?


----------



## Victoria Bampton (Oct 4, 2013)

sizzlingbadger said:


> My Pay-Pal account was hacked recently, with same email / password as my Adobe account, a coincidence ?



Yikes.  Proves how important it is to use unique passwords, especially on financial sites.


----------



## sizzlingbadger (Oct 4, 2013)

Yeah, I usually do and had been meaning to change my Pay-Pal password too, it sort of got left behind because I don't use it much.


----------



## bobrobert (Oct 5, 2013)

I contacted Mastercard yesterday at about 15.00hrs concerning the problem. They seemed to have had no knowledge about it and advised me not to change the password because it could be bogus. I assured them I had checked various sources but they weren't convinced and suggested I ring Adobe with my concerns. It would be a lot of work and expense for them to replace cards so I think the slopey shoulder syndrome kicked in. Adobe assured me their encryption is robust and the key wouldn't be found wanting and their methods are robust. I am paraphrasing their answer. Just have to wait and see. Mastercard and other companies will have to cover any losses.


----------



## Rose Weir (Oct 5, 2013)

After reading this posting I called my online banking service and changed my log in password. It had been set many years ago, as was the Adobe log in. Fortunately I keep a record of my log ins mainly because I usually forget what I used. I rarely use the Adobe log in and I discovered in my records I had used the same password.
The only way I discovered my Adobe log in had been reset was after an attempt to log in to the user forum.
What a hoorah changing an online banking password but doing that also covers the credit card used at Adobe for product purchases according to the person overseeing this 'password edit'.

Rose


----------



## clee01l (Oct 5, 2013)

FWIW, I keep four sets of email addresses and passwords.  For commercial online business, (like Adobe and Amazon),  I have one email address (but different passwords) ,  I have another email and password series for financial contact and two more for friends and for general acquaintances.

Credit card companies will not replace Credit cards for something like what happened with Adobe. it is too expensive.  If your CC account gets compromised and hacked (identity stolen) because of issues like that with Adobe, you will not be subject to any loss it you notify the CC company after the loss occurs AND then they will set you up with a new CC account.


----------



## Replytoken (Oct 7, 2013)

Does anybody know if Adobe's password notice only went out to impacted customers, or was it sent to a broader distribution list?  I received my notice yesterday, but it does not specifically say that my account was impacted.

Thanks,

--Ken


----------



## Jim Wilde (Oct 7, 2013)

I suspect, but don't know for certain, that it's gone out to everybody. Am just a bit ticked that it's taken so long to do that....like you I got an email last night, which was two days *after *I'd changed my password. So I now have to got through that again if the password reset happened AFTER I changed it.


----------



## marco (Oct 7, 2013)

Jim Wilde said:


> I suspect, but don't know for certain, that it's gone out to everybody. Am just a bit ticked that it's taken so long to do that....like you I got an email last night, which was two days *after *I'd changed my password. So I now have to got through that again if the password reset happened AFTER I changed it.


I got the mail about 18 hours after I learned about it here in the forum and checking Adobe's website. I changed my password right away. I was able to login with my new password after I got the mail.



clee01l said:


> Credit card companies will not replace Credit cards for something like what happened with Adobe. it is too expensive.  If your CC account gets compromised and hacked (identity stolen) because of issues like that with Adobe, you will not be subject to any loss it you notify the CC company after the loss occurs AND then they will set you up with a new CC account.


My credit card (Master Card) is issued (I think that's what you call it, right?) by my bank. So I called the bank and explained it three times. The last person, in charge of credit cards, suggested that they cancelled my card to be safe and give me a new one for free. So that's what we did.


----------



## Victoria Bampton (Oct 7, 2013)

As far as I understand it, the password reset happened at the beginning, and the emails were all queued up, but it's taking a few days to send 2.9 million emails!


----------



## Jim Wilde (Oct 7, 2013)

Hope you're right, Victoria. I've been logged into the U2U for a few days now, guess I need to try logging out and back in again to see if my changed password is still valid.

Edit: Just tried it and yes, my changed password is still valid. So you are right....now there's a surprise.


----------



## Denis de Gannes (Oct 7, 2013)

Yes same here for me I changed my password twice in the past two days. I did it after I saw the news, then again when I got an e-mail from Adobe. With respect to credit card info Adobe as a Merchant processor would have had to notify the Credit Card company i.e. Visa, Mastercard etc of the compromise of their data base. It would be then be the responsibility of Visa, Mastercard etc. to contact the Card Issuers i.e. Banks, Financial Institutions etc to inform their clients and recall/re-issue replacement cards. I have had my Bank do this several times over the past few years, even though I have not had any unauthorized transactions on my account.


----------



## Denis Pagé (Oct 11, 2013)

Hi everyone!

To follow up on this, the hacker's server — a Russian group — was found unprotected with the encrypted credit card data and some Abobe's source code.
http://www.macworld.com/article/205...was-parked-on-hackers-unprotected-server.html


----------



## sizzlingbadger (Oct 11, 2013)

I had a second password reset email yesterday.


----------



## Replytoken (Oct 31, 2013)

Looks like the loss was quite a bit bigger than initially announced earlier this month: http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/ .

--Ken


----------

