2.9 Million User IDs and Credit Card Information Stolen from Adobe's Company Network

It wasn't long ago, August 19^thin fact, I wrote an article about the things that Adobe has done to improve software security. After previously talking about Adobe's lax security and propensity to be the vendor with the most zero-day flaws, an Adobe representative contacted me to try and smooth out the rough security edges of Adobe's past. After an email thread back and forth, I felt it safe to suggest that Adobe had truly taken steps to beef up the quality of their software applications.

You can read about that here:  What Adobe Has Done to Improve Security

Late last week, Adobe had the unfortunate task of letting customers know that their own network had been compromised, and that hackers had stolen 2.9 million Adobe user IDs and passwords and credit and debit card numbers and information.

So, to me, a hack into the network would seem like it should be identified long before the number of stolen information reached 2.9 million users – unless, of course, user information is being stored in plain text files. That's quite a long time for the doorway to be open and data to be flowing outside the network.

In an apologetic blog post, Brad Arkin, Chief Security Officer for Adobe, details what Adobe is attempting to do to help the situation. Customers affected by stolen IDs and passwords, will receive an email describing how to successfully change the password. Customers affected by stolen credit card numbers will receive a notification letter (USPS) listing procedures available for protecting against further loss and also offering a complimentary credit monitoring service.

You can read the full apology here: Important Customer Security Announcement

In addition to the stolen customer information, the hackers also stole the source code for Acrobat, ColdFusion, ColdFusion Builder, and other products. So, while Adobe has worked extremely hard trying to improve product security, all of that could be moot considering some hacker somewhere now has the ability to inject attacks directly into original product source code.

Best be on the lookout for Adobe updates in sheep's clothing.

I know many companies are always looking to replace Adobe's products with alternatives for a number of reasons including price and security (or, lack thereof). If you are one of those companies that has done this successfully, please leave comments here so others can benefit from your experience and knowledge.