Adobe's recent data breach was by all reports a disaster for a whole lot of people, but now, some numbers are emerging to suggest just how bad it was, and the numbers are actually much worse than previously thought. The company is now reportedly saying that the data breach that spawned a series of reset password emails to flood from Adobe and left user account information exposed had at least some impact on at least 38 million users, up from earlier estimates of 2.9 million. But that's only part of the damage here.
While there's no getting around the fact that 38 million users impacted is bad news by any stretch of the imagination, it turns out that the impact was actually still worse than even that. The source code said to be taken in the attack has now been expanded to include the Photoshop line of products, bringing the total damage up to not only stolen source code, but also nearly three million encrypted credit card records from customers and login data for a range of users that is still as yet undetermined.
One of the biggest indicators showing how far down this rabbit hole went was a posting out at AnonNews.org, a news site devoted to the activities of Anonymous, the decentralized hacking collective. Said posting contained a file labeled “users.tar.gz” which was said to contain over 150 million username and hashed password pairs from Adobe. Said file, measuring fully 3.8 gigabytes in size, reportedly appeared to be identical to one found by Hold Security's CISO Alex Holden and Brian Krebs of “Krebs On Security” with other data that was found stolen.
So far, according to Adobe's Heather Edell, the company has made a complete campaign of contacting potentially impacted users and urging said users to reset passwords to render much of that information useless to hackers, and it's a campaign that seems to be working. So far, according to Edell, there is no indication that unauthorized activity has taken place on any account that was involved, and that's certainly a bit of good news in an otherwise disastrous situation.
Adobe's response to this issue, by all accounts, was both quick and robust, with the company offering a year's worth of credit monitoring services at no charge. However, it was noted that the credit monitoring in question came from Experian, who was recently spotted selling a variety of consumer data items to an identity theft service.
Still, none of this is particularly good news, though perhaps it's simply less bad news than people may have expected. But Adobe's response to it all has been hard to reproach, as it was quick and offered the users added value with the credit monitoring, even if the credit monitoring itself may have been an issue. But that's scarcely Adobe's fault, and the offer was a sound one in its way.
But the key point here for Adobe users—and everyone else—must remain, sadly, vigilance. While people have no control over what accounts are accessed at the service level—that's where the service's vigilance needs to come in—users can work to protect interests with solid passwords that change regularly. The better a job that can be done in terms of keeping up with said passwords, the better the chance that, even if something is stolen, it likely won't be useful for long enough to do much damage anyway.
Edited by Stefania Viscusi