Skip to main content

Huge Adobe Data Breach Gets Even Worse

Information-security blogger Brian Krebs, who broke the news earlier this month that Adobe had suffered a massive data breach, now says the situation is much worse than it initially appeared.

Krebs discovered, and an Adobe spokeswoman confirmed, that the breach affected at least 38 million, and possibly as many as 150 million, Adobe user accounts.

The hackers who accessed Adobe's servers made off with at least part of the source code for Photoshop, Adobe's flagship software product.

MORE: 7 Ways to Lock Down Your Online Privacy

Previously, Adobe had said 2.9 million user accounts, including names and encrypted credit-card numbers, had been exposed, and that source code for Acrobat (used to create PDFs) and ColdFusion and ColdFusion Builder (used to build database-driven websites) had been stolen.

It's hard to tell what, exactly, was stolen from Adobe because the huge data set — 40 gigabytes even after compression — that Krebs and fellow researcher Alex Holden of Hold Security examined was partly encrypted by the thieves.

But since Krebs' initial disclosure of the breach, decrypted versions of some of the data have appeared on hacker websites and forums.

One decrypted file is a 3.8-gigabyte list of more than 150 million usernames and encrypted passwords for Adobe user accounts.

Adobe spokeswoman Heather Edell told Krebs that because many of those accounts were inactive, invalid, duplicated or test accounts, the number of active users affected by the release of that file was closer to 38 million.

Another file that Krebs and Holden weren't able to get into was titled "ph1.tar.gz." This past weekend, Krebs says, that same file, in an unencrypted form, was posted on a website affiliated with the hacktivist movement Anonymous. The file appears to be the source code for Adobe Photoshop.

"A portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on Oct. 3," Edell told Krebs.

The Adobe data was stolen in August by a group of professional information thieves who had previously broken into servers containing data belonging to the commercial data brokers LexisNexis, Dun & Bradstreet and Kroll Background America.

The thieves had already set up their own data brokerage, called SSNDOB, selling Social Security numbers and dates of birth of U.S. residents to online criminals.

Most of SSNDOB's clients kept quiet, but teenage pranksters belonging to the UGNazi hacktivist group used the service's stolen personal data to fraudulently buy credit reports on several dozen celebrities and politicians, including Michelle Obama, Donald Trump and Kim Kardashian. UGNazi then posted the credit reports online in March and April of this year.

This past summer, rival hackers broke into SSNDOB's servers, stole much of the criminal enterprise's files and posted them online. Clues in those files led Krebs and Holden to the cache of stolen Adobe data.

Adobe had previously said it was resetting the passwords for the initial 2.9 million user accounts thought to have been exposed and offering a year of free credit monitoring for those affected customers.

Ironically, as Krebs pointed out, that free credit monitoring is being provided by Experian, which also sold the credit reports of politicians and celebrities to the UGNazi pranksters.

If you believe your information might be at risk due to the Adobe breach, change your Adobe account password right away, whether or not Adobe contacts you. It's likely that more revelations will come as more of the Adobe files are decrypted.

If you used the Adobe password for other accounts, change those passwords as well, preferably to something you don't use anywhere else.

You may also want to ask the Big Three credit bureaus — Equifax, Experian and TransUnion — to place a fraud alert on your files, so that no one else will be able to open an account in your name for three months.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

  • ern88
    I think Adobe or any other company that gets my info and then looses it or gets hacked should replace the monies stolen and should be sued!!!
  • shiitaki
    So we in the United States can monitor tens of millions of people simultaneously in multiple countries, but completely ignore SSN#'s for sale on the internet?

    Wow,down load a porn by torrent and your internet will be cut off. Sell Social Security Numbers on the internet, no problem?!

    The intelligence agency is to damned busy listening to Anglia Merkle sexting to bother going after criminals profiting from hacking personal data?

    Makes sense, the constitution only provides privacy from the government, oh wait!! That's not in the second amendment, so that doesn't count.
  • Mr Majestyk
    You might want to edit the article. Adobe is only only offering the credit protection service to those in the US, the rest of the world can get stuffed apparently.
  • knowom
    It's Adobe hardly surprising this happened to them frankly I'm shocked it didn't happen sooner.
  • alyoshka
    hmmmmmmmmmm. errrrrrr Why??
  • mrmez
    I blame this on flash.
  • Brian Cooper
    How awesome that yet another outlet is 'losing' our information.
  • antilycus
    by law, Adobe is required to send WRITTEN NOTICE to every single customer w/ private information that they have. Regardless if they are in data breach or not. Which will cost millions in postage. Who wants to be Big Business won't do it and nobody will hold them accountable?
  • that man
    I received a notice concerning this in the mail from Adobe, so yes, they are sending these notices out. I have been in an ongoing process of purging my accounts of simple passwords, and had changed my Adobe password on 8/31. Unfortunately, that is likely after the data breach occurred, so it is possible that they have one of my old, simple passwords that I used all over the place. What a headache.