Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems.
We are also investigating the illegal access to source code of numerous Adobe products. Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.
A few observations.
- If the criminals downloaded 2.9 million customer details with name, address and credit card details the risk of fraud is substantial. Encryption is good of course, but if you have a large body of encrypted information which you can attack at your leisure then it may well be cracked. Adobe has not told us how strong the encryption is.
- The FAQ is full of non-answers. Like, question: how did this happen? answer, Our investigation is still ongoing.
- Apparently if Adobe thinks your credit card details were stolen you will get a letter. That seems odd to me, unless Adobe is also contacting affected customers by email or telephone. Letters are slow and not all that reliable since people move regularly (though I suppose if the address on file is wrong then the credit card information may well be of little use.)
- Adobe says source code was stolen too. This intrigues me. What is the value of the source code? It might help a criminal crack the protection scheme, or find new ways to attack users with malicious PDF documents. A few people in the world might even be interested to see how certain features of say Photoshop are implemented in order to assist with coding a rival product, but finding that sort of buyer might be challenging.
- Is the vulnerability which enabled the breach now fixed? Another question not answered in the FAQ. Making major changes quickly to such a large system would be difficult, but it all depends what enabled the breach which we do not know.
- I’d like to see an option not to store credit card details, but to enter them afresh for each transaction. Hassle of course, and not so good for inertia marketing, but more secure.