Pushing their customers onto their cloud service, and then getting hacked...
Let's just hope those important artwork are not saved in the cloud.
The bigger issue is the nearly 3-million account details that were taken.
I received one of these today.
We recently discovered that attackers illegally entered our network. The attackers may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorized activity on your account. If you have placed an order with us, information such as your name, encrypted payment card number, and card expiration date also may have been accessed. We do not believe any decrypted card numbers were removed from our systems.
To prevent unauthorized access to your account, we have reset your password. Please visit www.adobe.com/go/passwordreset to create a new password. We recommend that you also change your password on any website where you use the same user ID or password. As always, please be cautious when responding to any email seeking your personal information.
We also recommend that you monitor your account for incidents of fraud and identity theft, including regularly reviewing your account statements and monitoring credit reports. If you discover any suspicious or unusual activity on your account or suspect identity theft or fraud, you should report it immediately to your bank. You will be receiving a letter from us shortly that provides more information on this matter.
We deeply regret any inconvenience this may cause you. We value the trust of our customers and we will work aggressively to prevent these types of events from occurring in the future. If you have questions, you can learn more by visiting our Customer Alert page, which you will find here.
Adobe Customer Care
@elmer: Yes, this one is painful. To be honest I had an account with Adobe before the push to the cloud, but at least they did not have a credit card on record.
One of the consequences is that I spend most of my morning changing account information for a bunch of other websites which shared similar login information.This is unfortunately not the first time I have to change passwords due to a website being hacked (last year was LinkedIn), but my memory isn't good enough to remember a password per account.
I have an encrypted spreadsheet to keep most except for a master one, do you have a better solution? Do you use a special mnemonic trick? Do you use a password manager?
@giovanni: I use LastPass for most things, but not sensitive communication services (email/FB). They allege that all encryption/decryption is done client side but they could easily have had an NSL forcing them to capture login information. But at the end of the day I think the increased security from proper password practice outweights the risks from using LastPass for most sites. Especially those that force you to register for no good reason, most online shops and so forth.
As I said, I don't use it for email and FB just in case either I were to compromise the master password or they were (but my GMail, Outlook and FB accounts all have two factor authentication anyway and I suspect the authorities would be able to access those services without going via lastpass if they wanted to so even those would be OK in there).
Post removed at user's request.
Did they really say that they were storing encrypted passwords? Or was that an overly simplified way of saying that they lost the salted hashes of passwords?
The part that I find disconcerting is:
"We do not believe any decrypted card numbers were removed from our systems."
In other words... It was possible for them to get decrypted card numbers, so we are crossing our fingers and hoping we were lucky.
Journalists have a habit of getting confused between encryption and hashing.
Which is a shame, because they'd probably report a company who lost passwords stored in pig latin the same way they'd report a company storing passwords securely with an iterated site-wide HMAC.
@evildictaitor: I am no security expert, but my guess is that it is only a matter of time before the passwords are decrypted by brute force or other means. If the attack was as sophisticated as Adobe described in their statement, who did it is pretty good and has the right tools at hand.
Encryption might give Adobe and its customers enough time to change passwords, but no more I am afraid.