Win the New Adobe Creative Cloud 2017 Release – FREE Full Membership!
Home > Various October 31st, 2013

Adobe’s Data Security Breach Was Not Really the Creative Cloud

Adobe’s recent and regrettable data security breach has been getting a lot of headlines, but not always for the right reasons…

Read Adobe's Customer Security Alert FAQ

Although the sizeable breach has nothing to do in particular with Adobe’s new Creative Cloud offering, it has nonethe­less been scapegoated here.

A popular online photography site wrote, “The attack exposes a weakness in the company’s new Creative Cloud subscription model…”

Well, not really.

Adobe Forum posters say things like, “This makes me like Creative Cloud less.”

But in fact, the breach was not only for Creative Cloud customers, but rather for Adobe ID accounts generally – which most customers have for any type of product, including CS6 and earlier, Acrobat, Lightroom, and so on.

Creating such an account is/was required for Creative Suite 6 starting in May 2012.  It also happens during product registration and if you want to interact online with Adobe in almost any way.

For any direct software purchase – including CC or CS6 (which still remains available) – Adobe would have your credit card details on file, just like with Apple, Amazon, eBay/PayPal, Dell, Overstock, etc.  Adobe should have protected this information better – but fortunately in this case, the company says that data was encrypted and (as of Monday) currently has no indication that there has been unauthorized activity on any Adobe ID account involved in the incident.

Regardless, there are still some recommended precautions:

But bear in mind that having your credit card information stolen is not the same thing as identity theft … For consumers reacting to news about their credit or debit card being compromised, it probably makes more sense to opt for placing fraud alerts and obtaining free copies of your credit report several times annually, as specified by law. And remember that the card associations all have zero-liability policies.

Read Adobe’s Customer Security Alert FAQ.

Obviously, all storing of personal credentials online or use of credit cards anywhere (at any merchant) carries some risk… Credit cards are relatively safe in a home lockbox but that’s not what they were created for. We recommend CreditKarma.com for completely free credit scores and monitoring, any time and all the time.

Finally, all the leading creative tools like Photoshop CC and Illustrator CC remain desktop applications that download and run locally on your computer desktop, not in or over the cloud. These are not web applications or hosted software.

The “cloud” part of Creative Cloud (all the online file storage, sharing, and syncing) is actually handled by Amazon:

Creative Cloud is hosted on Amazon Web Services™ (AWS) in the United States, Europe, and Asia. AWS offers a reliable platform for software services used by thousands of businesses worldwide. AWS provides services in accordance with security best practices and undergoes industry-recognized certifications and audits: PCI DSS Level 1, ISO 27001, FISMA Moderate, HIPAA, and SAS 70 Type II. This means that Cloud members benefit from the latest in security practices for stored assets.

So not to make excuses for what transpired here – just to be clear that while the Creative Cloud and this security incident happened close together in time, they are not directly related.

See Also

Get New CC 2017 Direct Download Links: All Free Trials

Keep up with the latest on Adobe software — follow us on Facebook or Twitter, or subscribe to our RSS feed… You can also enter your email and have new articles sent directly to your inbox.
Categories: Various Tags: , , , ,

Share This

Email this page
Available Worldwide! Get New Adobe Photoshop CC 2015 plus Lightroom 6/CC for Just US$9.99 a Month (Regular Ongoing Price)
  1. Sandro

    While it is true it is not only a CC problem, it does highlight the very poor security measures that Adobe affords its customers. It is also interesting that a number of CC customers decided to have their credit cards canceled and replaced after the breach had their accounts suspended almost immediately by Adobe, essentially losing their ability to work and edit their files for god only knows how long.

    Additionally Adobe took over two weeks before informing the 3.000.000…… oops! I meant 38.000.000 compromised account holders, leaving them in the dark for so long could have (maybe has) lead to widespread theft and a lot of headaches for its customers in order to rectify the situation. Let’s also not forget that the breach also involved the theft of the source code of some of Adobe’s programs, which could facilitate future hacks, potentially adding further disruptions.

    • Obviously some of us here got those notices too, as we have Adobe ID accounts as well. The biggest nuisance was changing the account password (which had been reset), and any other online accounts that used the same email and password (make sure to do that).

      In the company’s response FAQ, they do not advise canceling your credit card, but rather keeping an eye on it just to be sure. They are offering free credit monitoring service to customers who would like it. Or you can use a different (always free) one like CreditKarma.com.

      We believe any future ‘cloud’ security risks from stolen source code for a few pieces of software are overstated and mostly FUD.

      While the credit card data was encrypted, clearly Adobe’s other measures that were in place were inadequate. They say they deeply regret this happened and we believe them – and believe this is a powerful learning moment that is unlikely to ever happen again.

  2. nathan

    i disagree. You are correct it is not a problem with cc. The indirect problem is cc for many will have a monthly subscription of which an account probably a credit or debit account is billed. The more people on cc means more financial information on our accounts. This is not true if you pay for a year subscription on cash or for cs6 in cash. There is then no digital paper trail. I also suggest getting a credit/debit card that is a separate account with no non-necessary personal information. As a debit card it can only take out what is on the card not keep charging you. Keep enough money on it to pay for 1-2 months of cc subscription but no more so that if it does get compromised they don’t have all your money that linked to all your accounts.

    • Well, that would be the same as with any online vendor or service provider, such as other companies mentioned in the post like Apple, Amazon, eBay/PayPal, Dell, Buy.com, etc.

      Creative Cloud may mean more customers have their payment details on file with Adobe, but we haven’t heard of anybody ever paying $2000 in cash for Creative Suite – so credit cards being used somehow is generally a fact of life, and theft can happen anywhere online or off.

      Fortunately the credit card companies all have zero (or low) liability policies for customers, because they want people to use them. Debit cards actually have less protection in this regard.

      Here’s one solution that might fit a guy like you. If you’re a Creative Cloud customer but now don’t want Adobe to have your credit card details on file, then you can just buy a year (or more) of Creative Cloud in advance using the prepaid 12-month membership cards, and Adobe would not have your credit card information, nor would you be charged or reactivated on a monthly basis.

  3. Daniel

    Q: Have there been any reports of product keys being stolen from customers account due to this data leak? I read that order details have been taken…

    • Hey Daniel, nice to see you again and that’s a good question. No, there were no reports of product keys being taken. They wouldn’t be of much use to a thief because a license can be easily reestablished to/by the rightful owner.

      Credit card order information was taken only for some of the affected accounts, and “the credit card numbers were encrypted and the company does not believe decrypted credit card numbers left its network.”

  4. Willie

    @nathan

    Or better yet, Adobe can bring back the perpetual licenses for all Adobe products going forward and problem solved! Nothing to figure out or do. Nothing to worry about. A much better solution!

    • That wouldn’t be a solution because as mentioned in the article, the breach affected customers of all products – including CS6, which Adobe does continue to sell with perpetual licenses (if preferred).

      But the world is not moving away from online delivery of software and going back to boxes… Can you imagine if the iOS App Store had to deliver boxes?

  5. Sandro

    Last time my credit card was cloned was during a trip to Malaysia, the fraudulent charges did not start to appear immediately, but only after about a month and from France so the fact that no illegal activity was detected so far does not mean much.

    “They are offering free credit monitoring service to customers who would like it”
    Yes if you live in the US they do, but if you are from any other country like me you are on your own!

    “they do not advise canceling your credit card, but rather keeping an eye on it just to be sure”
    I do not know how it works in the US, but here it takes them up to a month and a half for them to reimburse fraudulent charges, and only after you have lost half a day in a police station to report the crime. Last time it happened to me I was s*** out of luck for over a month and 3000 Euro in the red for that period, so you can understand that if something like this happens the first thing you do is cancel your credit card.

    “We believe any future ‘cloud’ security risks from stolen source code for a few pieces of software are overstated and mostly FUD.” they also believed that their servers were secure so…

    “you can just buy a year (or more) of Creative Cloud in advance using the prepaid 12-month membership cards
    the only thing that makes the CC remotely convenient (CC is a lot more expensive here) is the possibility of paying in monthly installments so buying a year in advance makes no sense for me.

    “Well, that would be the same as with any online vendor like Apple, Amazon, eBay/PayPal etc”
    I have bought books on Amazon since the very beginning, the same is true for Apple and my iTunes account, I have had an account with paypal for years they also reimburse me immediately in case of fraud. I have used them all for many years and never had any issue what so ever with them!

    the only thing that would make any sense would be to use a debit card as suggested by nathan but you have the added pain of having to remember to recharge it.
    I think that I’ll stick to buying software from shops or reputable online vendors! (see above) I have a feeling it’s a lot safer.

    • Well, all vendors are presumed safe until they’re not… What happened here was really unfortunate, but no system is guaranteed invincible and every company is a target. Any time you make any purchase online you take the risk that company or their payment provider gets hacked and your details stolen.

      If that’s not acceptable, then shop bricks & mortar with cash only – but of course that’s inconvenient and has its own costs… If you do use a credit card at a store or restaurant, pray the clerk/server isn’t creating a copy of your card as he swipes it through the machine (which you say already happened to you). Of course, out in the physical world you also run the risk of losing your money/card or getting pickpocketed.

      As for credit monitoring outside the US: CreditKarma.com is great and free for everyone, but not sure if it’s available yet internationally.

  6. Daniel

    @ProDesignTools

    Hi, nice to talk to you as well :)

    What would happen if someone did log in into an affected account and got the product keys that way? Would Adobe replace the affected product key in such event? I’m just thinking of a case where someone could be very unlucky.

    • In that case, because the serial number was already in your account you could just contact Adobe and request that it be reset, and they would create a replacement license key directly in your online account for use going forward (while canceling the previous one).

      BTW, this is exactly what happens when someone requests a crossgrade between platforms (Windows – Mac) for Creative Suite. Basically your recorded SN gets swapped out for a new one.

      So there really is no benefit in anyone ever trying to steal those, so long as they are registered… (which is a benefit of having that information stored online in your account)

  7. RCM

    Thanks for the pointer on Credit Karma – it looks good so I am going to skip the Experian offer Adobe sent me and try using that instead.

  8. Isabelle

    I skipped the Experian offer, having read the krebsonsecurity.com alert about the breach (love that security blog). and his thoughts on Experian (which I think has since been mentioned in the press as having contributed to the Affordable Care Act website problem – and which sold personal information on people using their services to shady buyers).

    All in all, an unfortunate security breach for all Adobe subscribers/purchasers.

  9. WS

    Not sure if it was mentioned in a previous post or not but a pre-paid credit card (like those you can pick up at the mall for a gift – often from American Express) are good in subscription situations or whenever you believe that your information is not so secure. Plus, let’s say you want to just to subscribe to Creative Cloud for XX months… then you just put that much balance on your card to cover those months and you won’t get overcharged if you forget to cancel.

    PDT – Great blog by the way ;)

  1. No trackbacks yet.