Adobe fesses up to hack but fudges on details

Two months ago hackers stole source code for Acrobat Reader, Publisher, ColdFusion, and data for 2.9 million user accounts. We still have no clue about user passwords

If you use any Adobe product or have registered any products with Adobe, you have the right to jump up right now and scream, "Where's Walter White when we need him?" Brian Krebs at Krebs on Security and Alex Holden at Hold Security contacted Adobe a week ago and told them that, gosh, 40GB of uncompiled and compiled source code for Adobe products was sitting on a server used by a gang that's been stealing data for months. Krebs also noted:

Adobe confirmed that the company believes that hackers accessed a source code repository sometime in mid-August 2013, after breaking into a portion of Adobe's network that handled credit card transactions for customers. Adobe believes the attackers stole credit card and other data on approximately 2.9 million customers, and that the bad guys also accessed an as-yet-undetermined number of user names and passwords that customers use to access various parts of the Adobe customer network. Adobe said the credit card numbers were encrypted and that the company does not believe decrypted credit card numbers left its network.

Adobe fessed up a few hours after being outed by Krebs and posted a general description of the source code theft and a Customer Security Announcement about those 2.9 million stolen user IDs, passwords, and encrypted credit card information. Here's what Adobe said about the purloined personal data:

Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred.

Note how the wording is carefully construed: "We do not believe the attackers removed decrypted credit or debit card numbers."

Note how the wording in both cases artfully dodges the central question -- the most pressing question for users right now: How were the credit card numbers, names, expiration dates, and "other information" encrypted? I mean, it's nice that Adobe doesn't believe unencrypted data was leaked, but the encryption method makes a world of difference -- and Adobe hasn't told us what it was doing.

If the data was salted and AES-256 encrypted, the situation isn't quite so dire. The bad guys have a two-month head start, but that combination's mighty tough to crack. On the other hand, if the encryption didn't include salting, we're all in a world of hurt. Thanks to rainbow tables, a substantial portion of those 2.9 million stolen passwords may have already been compromised, even long ones.

I'm sorry Adobe, but I don't want your "one-year complimentary credit monitoring membership where available." I want the facts, now.

If Adobe had 40GB of source code sitting on an outward-facing server, that would certainly impact my opinion about Adobe's ability to run a secure operation. And if the bad guys have all of its source code? My bank uses ColdFusion, for heaven's sake.

If my Adobe password was compromised two months ago, I would sure like to know that, too.

Step up to the plate, Adobe. Can the platitudes. Your customers deserve the facts.

This story, "Adobe fesses up to hack but fudges on details," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.