Adobe says breach notification taking longer than anticipated

Tue Nov 26, 2013 4:21am IST

Adobe company logos are seen in this picture illustration taken in Vienna July 9, 2013. REUTERS/Leonhard Foeger/Files

Adobe company logos are seen in this picture illustration taken in Vienna July 9, 2013.

Credit: Reuters/Leonhard Foeger/Files

Related Topics

Stocks

   

(Reuters) - Adobe Systems Inc (ADBE.O) said it is taking longer than expected to warn customers about a massive data breach that compromised data on tens of millions of people, leaving some in the dark 10 weeks after the attack was discovered.

That puts those who have yet to be alerted at increased risk of cyber-scams and identity theft, because part of the massive trove of data stolen from Adobe is circulating on the Internet.

"This is a pretty massive screw-up," said Chester Wisniewski, a senior security advisor at anti-virus software maker Sophos. "Anybody can go and download the list. It's not a secret."

Adobe identified the attack on September 17 and began notifying customers "immediately" after it disclosed the breach on October 3, according to company spokeswoman Heather Edell.

"Email notifications are taking longer than we anticipated," she said.

The company has had to validate email addresses of those affected, and also limit the number of notifications sent at any one time to make sure they don't get blocked by email providers or tagged as spam, she said.

Edell said the company has notified by email and letter some 2.9 million Adobe customers with credit or debit card information taken by the attackers.

It is in the process of notifying tens of millions of others who have Adobe ID accounts for using its customer website, she said. She declined to provide a specific number on how many had been affected, saying the investigation was still ongoing.

A file containing information on some 152 million Adobe ID accounts has circulated on the Internet for at least three weeks. It includes email addresses along with encrypted passwords and password hints, according to multiple security firms that have reviewed its contents.

Yet Edell said it was not accurate to say 152 million customer accounts had been compromised because the database attacked was a backup system about to be decommissioned.

She said the records included some 25 million records containing invalid email addresses, and 18 million with invalid passwords. "A large percentage" of the accounts were fictitious, having been set up for one-time use so that their creators could get free software or other perks, she added.

Still, security experts at Sophos and other firms successfully identified an unknown number of passwords in that file by analyzing password hints and using other techniques to guess at them.

Other companies, including Facebook Inc (FB.O), have identified users who employed the same passwords as those contained in the widely circulated file on Adobe customers.

The social network then required affected users to verify their identity and reset their passwords.

"We actively look for situations where the accounts of people who use Facebook could be at risk, even if the threat is external to our service," said Facebook spokesman Jay Nancarrow. "When we find these situations, we present messages to people to help them secure their accounts."

Computer users need to watch out for scammers who are sending out emails that appear to be security-breach notifications from Adobe, but contain malicious links, said Wisniewski of Sophos.

"The bad guys already know you have a relationship with Adobe," he said. "That makes it easier for them to scam you." (Reporting by Jim Finkle. Editing by Edwin Chan and Richard Chang)

FILED UNDER:
Comments (0)
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.

  • Most Popular
  • Most Shared

Under-Aged Workers

TECH SHOWCASE

Content Ideas

Content Ideas

Exclusive - YouTube weighs funding efforts to boost premium content - sources.  Full Article 

Uncertain Future

Uncertain Future

Demand for personal computers still erratic, outlook unstable.  Full Article 

Parking Robot

Parking Robot

Video: Robot concierge “Ray” parks cars hassle-free.  Video 

Harassment Lawsuit

Harassment Lawsuit

Female Yahoo executive sued for sexual harassment.  Full Article 

Reuters India Mobile

Reuters India Mobile

Get the latest news on the go. Visit Reuters India on your mobile device.  Full Coverage