42 comments

[ 9.9 ms ] story [ 1665 ms ] thread
Quite the increase from their original estimate of 2.9 million.
PR damage control.

BTW, Adobe seems to be a vulnerable giant to be taken over. Not sure why no startups target them.

I think they have, but it is subtle. It could be argued that Instagram was a shot over Adobe's bow.
Not sure if Instagram is a competitor to Adobe though, maybe over their low-end mobile apps. I was thinking of Adobe's cashcow -- Creative Suite. That could be a good niche market for C++ programmers from game companies to build their startups on.

Adobe of today is like RIMM in 2007 before the original iPhone was announced.

Ah, yes, Apple, that hip startup that undermined the RIM powerhouse :)
I was just thinking this morning about how from a technology standpoint Adobe seems to be way ahead of virtually everyone else at the moment. The only competing (pro to prosumer level) applications I've seen that are comparable with regard to features and polish to anything in Adobe's suite seem to be video editors (Final Cut, Vegas, Premiere), and maybe something like Aperture. It gives me a lot more respect for what Gimp and Inkscape are trying to accomplish, but it's a very long road they have ahead of them.

In the low-end space there was the Aviary suite, which despite really interesting potential seems to have pivoted to mobile. Pixelmator and Paint.NET have done an extremely good job at providing basic layered image editing functionality, but I don't see anything emerging to challenge Adobe yet.

A competitor in the Pro/Prosumer space would need to develop, from scratch, extremely sophisticated, feature-rich applications to replace Adobe's big 4: Image Editing, Vector Graphics, Motion Graphics, and Video Editing. They'd also need to tightly integrate these applications. This would be HARD. I don't think that the effort/risk/reward proposition looks very attractive for startups or their investors. Also, while game programmers might have some useful experience, I think that computer vision programmers would be much more familiar with the problem domain.

Apple, or maybe Corel probably would have done this a long time ago if it was feasible.

Adobe only dominates the photo editing / print sector. They are not the industry standard neither in motion graphics nor video editing. They are losing the web developper market and they could be losing the web and game graphics market too ( ince they killed Fireworks ).
That's a fair point. Photoshop and Illustrator are definitely their flagship products, and I didn't even bother mentioning their web tools (HTML5 is rapidly making Flash a legacy/zombie product, and I don't think there's any single clearly dominant web design/dev tool/toolchain -- although I'd argue that the majority of mockups still occur in Photoshop, and slicing up PSDs for the web is still done). I mentioned Premiere and After Effects because they're the other 'big' apps that Adobe develops, and they do integrate tightly with their main 2-- but as you mentioned, Premiere and AE definitely have very healthy competition.

Which brings up an interesting question...if After Effects and Premiere have strong competition, why don't Photoshop and Illustrator have equally strong competitors? I've already taken a guess, but I'm interested in other perspectives.

I worked at a competitor company in the late 90s. Their marketing muscle was nearly impossible to overcome. You either died (like the company I was at) or you became acquired, like Aldus, Macromedia... Photoshop.
For Photoshop, at least, I suspect most of their cool image manipulation tech is patent protected, and that they've got a legal team rigorously enforcing those patents.
I received the letter in my mail reporting my information was stolen from Adobe... pretty scary we had to sign up for a credit check company as a result. With the article here: https://news.ycombinator.com/item?id=6583103 we decided not to go with Experian... but that didn't ease my concerns with the other two options...
Same here. I didn't feel their offering from Experian was great either. I just canceled my card instead.
Cancelling the credit card is probably a wise course of action? I have a subscription to creative cloud.
Why not just cancel your credit card?

Or did you give Adobe your SSN as well?

A free credit check compensation is funny. It's like getting free 8x10 glossies of your car being stolen.
I know there is an auditing process whenever a breach occurs, so it somewhat makes sense. However, it really seems like companies intentionally announce a 'smaller' breach only followed up (99% of the time) with a 'massive' breach.

I would much prefer a initial 'massive' breach announcement (when possible), as that would breath a higher a level of transparency and honesty.

As someone in the information security industry, it's a balance between getting the information quickly and getting the information completely. Especially in the case of a major organization who needs to communicate with customers. You're going to catch flak for not saying anything fast enough, and you're going to catch flak for saying something inaccurate.

In breeches I've been involved with, some companies would prefer to do the full investigation and then present the information to their customers (in accordance with the policy of whatever state they fall under the jurisdiction of). Others would rather let their customers know that there was a breech as soon as possible, while the investigation was ongoing (even if the information may change after the intial communication). It's really hard to say which is the "best" policy, but if it's CC data or PII, personally I would rather hear 2 million... no wait 36 million than not hear anything for days or week while my information is being disseminated.

They've already started putting that stolen data to good use too. http://i.imgur.com/nm6qMGy.png
Yep. I stupidly reused my Adobe password (don't even remember making the account) on MtGox. Had a bitcoin worth $200 stolen. Fairly sure it was from the Adobe leak as it was taken a day or 2 before the announcement

In the end it was a pretty cheap lesson in security... I've now changed all my passwords on everything and they're all unique

I connected my old Yahoo account to my Adobe ID and within days of the breach, my Yahoo account locked up due to "suspicious activity" on it and I had to jump through a few hoops to get it reinstated.

Thank god I didn't have any credit card info on my Adobe account.

Ah. That explains the flickr forced pw change n days ago.
Adobe's security breach undermines their new Creative Cloud licensing model, because Creative Cloud requires an ongoing trust in Adobe in order to continue functioning. A boxed software (or one-off download) model is transactional, requiring less trust. (One can, at least, firewall boxed software to limit potential damage.) Since Creative Cloud is subscription-based, one has to maintain an account with Adobe to keep the software working.

As someone dithering about transitioning from Creative Suite to Creative Cloud, receiving Adobe's letter was a slap in the face.

Given that the breach not only included accounts and credit cards, but also source code, I believe it's reasonable to speculate about potential exploits, including exploits in the Creative Cloud deployment mechanism. Going a little further into paranoia, I wonder if running Creative Cloud is potentially equivalent to running a trojan delivery system. I.e., how do we know Adobe's servers are now secure? Adobe is being cagey about the extent of the breach; the breach may have included internal Adobe credentials that can only be solved by a system-wide nuke-and-pave.

I really want to buy Adobe's new software, but they're making it extremely difficult for me.

(comment deleted)
When I go to the adobe website and try to login, it tells me that I need to reset my password. Well that's great but it tells me this no matter what password I enter. Last time I logged into the adobe website was probably a year ago so I have absolutely no idea what services I need to change my password for so I need to change them all. Thanks Adobe!
It's maddening that their default position offers no real amends for their 38 million impacted customers, save for a free year of credit monitoring. Canceling my card and getting it reissued is not trivial.

It's not so much the breach as it is the lackluster response and lack of ownership of the problem that has me ready to cancel the service. Even the original blog post, which reported only 1/10th of the real information leak, started with: "Cyber attacks are one of the unfortunate realities of doing business today. Given the profile and widespread use of many of our products, Adobe has attracted increasing attention from cyber attackers."

Sure those are valid statements, but they don't really help me feel good about the Adobe platform going forward, and they do more to pass responsibility than to claim ownership.

You should not be upset with Adobe. You should be upset with your payment card provider.

This industry has systematically externalized the cost of these data breaches, and the security systems necessary to try to prevent them, to every other business and end-user in the country.

There are many ways to solve this problem. Europe has largely solved this problem, and using your antiquated American credit card in Europe is not only difficult, but even if possible will elicit crazy looks.

What other industry today would you trust that the only security is a 16 digit number that you repeatedly share with the world and your zip code? And to think this is how we secure our money?

Adobe is offering a service that costs at the least tens of dollars to 38 million people. What is your credit card offering?

Abobe is required to offer credit monitoring. That's not an optional altruistic service on Adobe's part. Depending on the details of the hack, the CC processors can also fine Adobe significant amounts.

The credit card company is offering full fraud protection. So if someone does use your CC for fraud, you're inconvenienced, but not liable. That's far more than what Adobe is required to offer.

I'm quite happy with the American system of "it's the CC provider's responsibility to sort out fraud". It allows commerce to flow, and the backend can figure out fraud most of the time. Putting the burden on a consumer via a PIN system now means consumers have to be more careful, which is bad for consumers and could possibly deter them from using the cards as much.

Edit: The one thing I'd agree on is the broken system of "credit" in the US. Any company can ruin your credit rating based on their own internal policies, and successfully fighting is a major ordeal. All a company has to do for proof is show a bill, which they literally can just make up.

Additionally, requiring an SSN for everything is ridiculous. Cable TV and prepaid T-Mobile even demanded one. In Canada, no company is allowed to refuse service if you decline to provide your SIN.

The free monitoring is only available to the subset that they've confirmed had their payments info affected. They currently are claiming this is only 3M of the 38M customers.

Source: They just directed me to protectmyid.com and told me to sign up and pay for it myself. Not a great customer service experience.

> Europe has largely solved this problem, and using your antiquated American credit card in Europe is not only difficult, but even if possible will elicit crazy looks.

Wait what does Europe do? Just genuinely curious, and a cursory google search didn't return anything.

Chip and pin cards.

I can confirm, when I first came to the UK four years ago, only major retailers seemed willing to accept my Canadian CC, and even then, the cashier usually had to call the manager to confirm that it's ok.

Another thing I have to credit Europe with is the lack of proprietary debit card systems like Interac or Plus. It's all done via Visa/Mastercard Debit, so you're never forced to do your online shopping on credit.

Coming from Vancouver, I assumed chip & pin cards were widespread across Canada (they are here). I suppose this is not the case?
AFAIK, it works the same online as your typical magnetic strip card, however, it's associated with a PIN which likely (hopefully) isn't stored by the merchant. Similar to a card security code (CVV).

Otherwise, offline you place it into a card reader and enter a PIN. The card then authenticates the transaction only if the PIN matches. The card stays within the reader as you enter the PIN.

Further reading,

http://en.wikipedia.org/wiki/Chip_and_PIN

http://en.wikipedia.org/wiki/EMV

You won't leave Adobe because you refuse to learn an alternative tool chain. Talk heavy, maybe adobe will listen and forfeit some of the massive power they have over the internet and users.
Whoa, that's completely unfair. In fact, wherever it's possible (like on independent projects), I work with alternative software. Not to protest Adobe, but because I just think there's better software out there. Some of it is open source. All of it is significantly cheaper, loads faster, and has less bugs.

However, design involving collaborators, vendors, and professional output often requires standardizing on Adobe software. I'm not happy about it, but it's where the industry currently happens to be. Don't confuse honest pragmatism with some form of stubborn laziness.

As someone who (very occasionally) needs to manipulate PSDs, are there any alternatives to Adobe? My version of Photoshop is woefully out of date, and I'd prefer not to pirate. I was just looking at shelling out $30 a month to try out Photoshop CC, and then saw this!
If you're on a Mac, try http://www.pixelmator.com/ - $30 for a license, and I believe that gets you free upgrades. I haven't extensively tested it's PSD support but I do know that it can at least open and save them and everything appears to work correctly.
Is there a list of accounts affected somewhere?
Am I the only one that feel that the numbers doesn't matter? Any website that's been hacked it should basically consider everything has been compromised right?

Not something like - Ohh, your account has been compromised, yours are not, his is... etc