Adobe Gets Hacked, Product Source Code And Data For 2.9M Customers Likely Accessed

Become a member of the CGSociety

Connect, Share, and Learn with our Large Growing CG Art Community. It's Free!

THREAD CLOSED
 
Thread Tools Search this Thread Display Modes
Old 10 October 2013   #1
Adobe Gets Hacked, Product Source Code And Data For 2.9M Customers Likely Accessed

Here is one for those still in love with the cloud...


Quote:
"
Uh oh — Adobe has just disclosed that one of their servers has been hacked.

While their investigations are still ongoing, Adobe has shared a few details on what they believe could have been accessed and obtained in the hack — and it’s a big one.

From what Adobe has shared so far, it sounds like the hackers had access to encrypted data for as many as 2.9 million customers. While Adobe stresses that the data is encrypted and that they “do not believe the attackers removed decrypted credit or debit card numbers”, that data — encrypted or not — is definitely not something they want out in the wild.

Adobe has yet to disclose how that data was encrypted, so it’s currently unclear just how secure it is."

http://techcrunch.com/2013/10/03/ad...ikely-accessed/
__________________
LW FREE MODELS:FOR REAL Home Anatomy Thread
FXWARS
:Daily Sketch Forum:HCR Modeling
This message does not reflect the opinions of the US Government


Last edited by RobertoOrtiz : 10 October 2013 at 10:41 PM.
 
Old 10 October 2013   #2
Originally Posted by RobertoOrtiz: Here is one for those still in love with the cloud...

Care to explain what the cloud has got to do with a server being hacked?
It's not like they tunnelled through a bug in a software that runs remotely or something like that, the only "mandatory" cloud part to Adobe CC is pretty much the licensing/updating.

This is so utterly unrelated. It would be if the client's projects, which can be on the cloud storage if you so choose, had been compromised, but an accounts database and some domain specific servers (and that's most likely only the server side code for a handful of products that was obtained, it's not like they got hold of the authenticator or Photoshop's entire codebase).
Adobe could be still selling only off brick and mortar store shelves and things wouldn't have changed one iota.

Seriously Roberto, quit with the Luddite hatemongering already
__________________
Come, Join the Cult http://www.cultofrig.com - Rigging from First Principles

Last edited by ThE_JacO : 10 October 2013 at 11:46 PM.
 
Old 10 October 2013   #3
Sounds like they have account information, if that's true and they can get past the encryption then they would be able to access people's accounts and cloud storage right?
__________________
The Z-Axis
 
Old 10 October 2013   #4
Assuming those people have stuff on the cloud storage, they didn't change the password as they've been asked to, Adobe doesn't geographically gate access as a precaution (IE: login from an IP on an unusual route/country for that account suddenly pops up and goes through without e-mail confirmation), yes, they would.
It's a long string of ifs, but it's not impossible.
DB theft is most dangerous when network geography is matched or spoofed, or the company doesn't do any gating after the accident. I'd think adobe better than the latter, the former is unavoidable, at least by coincidence, on at least a small but significant fraction of accounts (an eventual hacker is likely to tunnel through a popular network in the country with the most seats to gamble on the former).

Given the average person's password weakness, which is on average something beyond embarrassing, anybody with a couple 400$ videocards can push several trillion attempts an hour against hashed passwords once they obtain them.

Encryption is a strong word when it comes to password databases, not incorrect, but it makes it sound harder than it really easy to get to those passwords.
Once you have a database, and therefore no limits to how hard you can hit the hashed entries for matches, it's just a matter of how many cycles you have at hand before you can crack open a considerable percentage.

This might be somewhat technical in general, but good stretches of it are perfectly accessible to the layman:
http://t.co/MBpyOabi0V

And yes, you should be scared if you use dictionary words or non super-long passwords with proper mixing and offsetting of all tricks. Statistically speaking there are very good chances that one in two reading this post has a password a kid seomwhere with very rudimentary knowledge of OCL, C and some libraries can hammer any of them hard enough in just a handful of seconds.
A professional with something running on a pay-per-cycle farm can propbably lay bare that database in just a few hours
__________________
Come, Join the Cult http://www.cultofrig.com - Rigging from First Principles

Last edited by ThE_JacO : 10 October 2013 at 01:09 AM.
 
Old 10 October 2013   #5
I think the credit card information has to do with creative cloud because we now have to leave credit info with adobe. Whereas before we make a onetime payment and the credit card info can be tossed, we now have to leave one on their systems
 
Old 10 October 2013   #6
Originally Posted by arvinmoses: I think the credit card information has to do with creative cloud because we now have to leave credit info with adobe. Whereas before we make a onetime payment and the credit card info can be tossed, we now have to leave one on their systems
yes when you make an online your purchase your creditcard number magically disappears after purchase and is totally innaccessible to that company ever again
__________________
Quote: "Until you do what you believe in, how do you know whether you believe in it or not?" -Leo Tolstoy
Kai Pedersen
 
Old 10 October 2013   #7
Where did you learn about all this Jaco? The C++ example you posted was also very impressive.
 
Old 10 October 2013   #8
Originally Posted by Panupat: Where did you learn about all this Jaco? The C++ example you posted was also very impressive.

I've always been tangentially involved with system departments where I worked, have several friends and acquaintances in IT due to being close to a fair few comp-sci people, and I've been doing a decent amount of massively parallel computational work the last few years (which is why I had that link at hand, bumped into it on http://hgpu.org/ only a few days ago).

Enough years of me storing random (and often useless) information, programming as part of my day job, and coincidence, all came together at this singular thread in time to provide you with that link.
Ain't that amazing?
__________________
Come, Join the Cult http://www.cultofrig.com - Rigging from First Principles
 
Old 10 October 2013   #9
Originally Posted by LucentDreams: yes when you make an online your purchase your creditcard number magically disappears after purchase and is totally innaccessible to that company ever again


that´s at least how it should be. Just because many companies keep that stuff, doesn´t make it better.
__________________
---------
www.silva3d.com - www.wallis-eck.de
 
Old 10 October 2013   #10
Originally Posted by Walli: that´s at least how it should be. Just because many companies keep that stuff, doesn´t make it better.

But it's not how it is, cloud or not, because people largely want to not have to bother and be repeat billed effortlessly.
Amazon making squillions with one click pay and managing to patent it is proof enough that Joe Average will take comfort and the illusion of security over responsibility and safety any day of the year
__________________
Come, Join the Cult http://www.cultofrig.com - Rigging from First Principles
 
Old 10 October 2013   #11
I know how it is. And I wasn´t so much talking about repeated bills, I was talking (like arvinmoses) about a onetime payment. At least I as customer want to have control, if they store my creditcard/payment info, or not.
Again, thats with onetime payements, of course thats not (easily) possible when you have to do monthly payments.
__________________
---------
www.silva3d.com - www.wallis-eck.de
 
Old 10 October 2013   #12
Here's the BBC article-
http://www.bbc.co.uk/news/business-24392819

The article also mentions this-
Quote:
Adobe said that it is resetting passwords for the customer accounts it believes were compromised, and that those customers will get an email alerting them to the change.

It is also recommending that, as a precaution, customers affected change their passwords and user information for other websites for which they used the same ID.

For those customers whose debit or credit card information is suspected of being accessed, Adobe is offering a complimentary one-year subscription to a credit-monitoring programme.


Finally, the company said it had notified law enforcement officials and is working to identify the hackers.

Really, just reset your password and you will be protected!
 
Old 10 October 2013   #13
This breach is potentially much more serious than a garden variety account information theft.

These bad guys stole Adobe's source code for some of their most security-significant apps (Acrobat, Coldfusion, etc.). In addition, they've had commit ability on Adobe's source tree since mid-August, meaning that, in the worst case, they could have inserted backdoors into adobe's code for recent releases. They are reviewing the past month and a half of commits for this now.

Even if they didn't insert malicious code, having access to (even beta, unreleased) source code for these apps is incredibly damaging, and will hamper security for them for years to come. Unless of course, Adobe commits to a clean-room rewrite of the code, which is pretty unlikely.

edit: phrasing

Last edited by NWoolridge : 10 October 2013 at 02:47 PM.
 
Old 10 October 2013   #14
This must be quite a wide spread hack, user account data and source code are most likely stored in very different places.
Keep in mind that Adobe admitted that source code was 'stolen' only because an external IT person learned from another source and told them, I bet they won't tell us what's not public yet... Now imagine what a wicked mind could do if he had access to Flash's source code.
 
Old 10 October 2013   #15
Originally Posted by LucentDreams: yes when you make an online your purchase your creditcard number magically disappears after purchase and is totally innaccessible to that company ever again


Actually, that is how it should be. After they get the bank confirmation of incoming cash, they does not need the credit card number anymore. I really don't get it why some company want to store it, let alone in plain text format (just search articles at ArsTechnica. There are companies that did this)

I bought old games at GOG, one of the companies that proud of not storing your credit card info. Yeah, I need to key it in every time I made a purchase, but for me its not a big deal. It's not like I'm buying a game every single day.

Usually companies that force storing of your credit card info is those monthly or yearly payment thing - like renting a server, domain name, service or what not.

edit : add link, because I'm nice :-)

http://arstechnica.com/tech-policy/...mber-anarchaos/

"As it turns out, the credit card numbers were not encrypted, but stored in plaintext in Stratfor's MySQL database."

Last edited by fablefox : 10 October 2013 at 05:29 PM. Reason: add link
 
Thread Closed share thread



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
CGSociety
Society of Digital Artists
www.cgsociety.org

Powered by vBulletin
Copyright ©2000 - 2006,
Jelsoft Enterprises Ltd.
Minimize Ads
Forum Jump
Miscellaneous

All times are GMT. The time now is 01:00 PM.


Powered by vBulletin
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.