The recent data breach at Adobe that exposed user account information and prompted a flurry of password reset emails impacted at least 38 million users, the company now says. It also appears that the already massive source code leak at Adobe is broadening to include the company’s Photoshop family of graphical design products.
In a breach first announced on this blog Oct. 3, 2013, Adobe said hackers had stolen nearly 3 million encrypted customer credit card records, as well as login data for an undetermined number of Adobe user accounts.
At the time, a massive trove of stolen Adobe account data viewed by KrebsOnSecurity indicated that — in addition to the credit card records — tens of millions of user accounts across various Adobe online properties may have been compromised in the break-in. It was difficult to fully examine many of the files on the hackers’ server that housed the stolen source because many of the directories were password protected, and Adobe was reluctant to speculate on the number of users potentially impacted.
But just this past weekend, AnonNews.org posted a huge file called “users.tar.gz” that appears to include more than 150 million username and hashed password pairs taken from Adobe. The 3.8 GB file looks to be the same one Hold Security CISO Alex Holden and I found on the server with the other data stolen from Adobe.
Adobe spokesperson Heather Edell said the company has just completed a campaign to contact active users whose user IDs with valid, encrypted password information was stolen, urging those users to reset their passwords. She said Adobe has no indication that there has been any unauthorized activity on any Adobe ID involved in the incident.
“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users,” Edell said [emphasis added]. “We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident—regardless of whether those users are active or not.”
Edell said Adobe believes that the attackers also obtained access to many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data. “We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident,” she wrote in an email. “Our notification to inactive users is ongoing.”
Part of the Adobe breach involved the theft of source code for Adobe Acrobat and Reader, as well as its ColdFusion Web application platform. Among the cache was a 2.56 GB-sized file called ph1.tar.gz, but KrebsOnSecurity and Hold Security were unable to crack the password on the archive. Over this past weekend, AnonNews.org posted a file by the same name and size that was not password protected, and appeared to be source code for Adobe Photoshop.
Asked about the AnonNews posting’s similarities to the leaked source code troves discovered by this publication in late September, Adobe’s Edell said indeed that it appears the intruders got at least some of the Photoshop source code. In both cases, Adobe said it contacted the sites hosting the data linked to from the AnonNews postings and had the information taken down.
“Our investigation to date indicates that a portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on Oct. 3,” Edell wrote.
FREE CREDIT MONITORING?
As many readers have pointed out in comments on previous KrebsOnSecurity posts, Adobe has offered a year’s worth of credit monitoring to customers whose encrypted credit card data was stolen in the breach. As it happens, Adobe’s offering comes through Experian, one of the three major credit bureaus and a company that is still reeling from a security breach in which the company was tricked into selling consumer records directly to an online identity theft service.
One of the most frequently asked questions I receive involves whether readers should take advantage of credit monitoring services, particularly those offered for free by the major credit bureaus in response to some breach. My response is usually that free credit monitoring generally can’t hurt, as long as you’re not automatically signed up for a non-free monitoring service after the free period expires. Monitoring especially makes sense if you’ve been the victim of ID theft before.
But bear in mind that having your credit card information stolen is not the same thing as identity theft — which generally involves the fraudulent opening of new accounts in your name. Some types of ID theft involve the creation of synthetic identities — using parts of your personal information combined with some aspects that are not yours — and credit monitoring services may have a hard time detecting these types of accounts.
For consumers reacting to news about their credit or debit card being compromised, it probably makes more sense to opt for placing fraud alerts and obtaining free copies of your credit report several times annually, as specified by law. And remember that the card associations all have zero-liability policies.
A big part of monitoring your credit involves checking your credit file for oddities and errors. The credit bureaus would prefer that you purchased a copy of your credit report from them (the annoyingly catchy commercials for freecreditreport.com, for example, are advertisements for Experian’s service). But this is completely unnecessary. U.S. consumers are entitled to a free credit report from each of the three major bureaus once per year, via annualcreditreport.com. That means that roughly every four months, you should be able to get an updated copy of your credit report from one of the three bureaus (calendar reminders come in handy here).
But back to the question about credit monitoring: Having been the recipient of a large number of attempts to open new lines of credit in my name, I have chosen to take advantage of a credit monitoring service, but it is not one of the services offered by the three bureaus (and I’ll leave it at that). The main reason for this is that if you run into a situation (as I am in now) where particular credit grantors consistently fail to remove fraudulent credit inquiries that negatively affect your credit score and file, you may eventually need to take that up directly with the credit bureaus.
While it may be tempting to believe that paying Experian or one of the other credit bureaus (Equifax or Trans Union) to monitor your file might make them more likely to help you in this situation, there is absolutely nothing in the fine print that says they will. Also, remember that these are the same companies that are tricking consumers into paying for free credit reports and making money hand over fist selling your credit information to would-be creditors and marketers (or in the case of Experian, even to ID theft services).
As mentioned earlier, consumers also are entitled to place a fraud alert on their credit files, and to require that potential creditors first get the consumer’s approval — such as via a phone call — before granting any new lines of credit. The protections are more strict if consumers can show they’ve been victims of identity theft – in that case the fraud alert stays in the files of identity theft victims for seven years. While a regular fraud alert expires after 90 days, consumers can simply renew the alert online when the old one expires. The credit bureau with which you file the alert is required by law to share it with the other two agencies.
Finally, consumers always have the option of placing a security freeze on their credit file — which blocks creditors from accessing your credit reports until the freeze is lifted. It generally costs $10 to place a freeze and another $10 to thaw it if you ever want to buy a new car or open a new line of credit. This may sound like a hassle, but it may ultimately make more sense than paying $15 a month for a credit monitoring service, or trying to remember to file new fraud alerts every 90 days.
Update: Oct. 29, 9:26 p.m. ET: Modified paraphrasing of Edell’s comment on completing the notification campaign, from “..to contact existing users whose login and encrypted password information was stolen,” to the current text.