[Note: if you came to this site because you’re having trouble enrolling in Experian’s service with the Adobe activation code, jump to Update 5, below. Please do not simply post that the activation code didn’t work – tell us whether you tried Firefox if you were having problems with another browser.].
Adam Gabbatt reports that Adobe has been hacked, and 2.9 million customers are affected. The breach has been confirmed by Adobe.
Adobe said “sophisticated attacks” had been carried out “very recently”.
“Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems,” said Brad Arkin, chief security officer at Adobe.
“We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.”
Read more on The Guardian.
Brian Krebs has the backstory on this:
KrebsOnSecurity first became aware of the source code leak roughly one week ago, when this author — working in conjunction with fellow researcher Alex Holden, CISO of Hold Security LLC — discovered a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll. The hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat.
Shortly after that discovery, KrebsOnSecurity shared several screen shots of the code repositories with Adobe. Today, Adobe responded with confirmation that it has been working on an investigation into a potentially broad-ranging breach into its networks since Sept. 17, 2013.
In an interview with this publication earlier today, Adobe confirmed that the company believes that hackers accessed a source code repository sometime in mid-August 2013, after breaking into a portion of Adobe’s network that handled credit card transactions for customers.
Read more on KrebsOnSecurity.com.
Adobe has posted a Customer Security Alert, linked from its home page with an FAQ on the incident and instructions on resetting your password. Of note:
As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. Customers whose user ID and password were involved will receive an email notification from Adobe with information on how to change their password. We also recommend that customers change their passwords on any website where they may have used the same user ID and password.
We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. Customers whose credit or debit card information was involved will receive a notification letter from us with additional information on steps they can take to help protect themselves against potential misuse of personal information about them.
Update: A copy of Adobe’s customer notification letter has been uploaded to California’s breach site. The letter indicates that the unauthorized access occurred between September 11 and September 17. Those notified were offered one year of free credit monitoring and assistance from the Experian ProtectMyID Alert system.
Update 2: If you’re having problems signing up for Experian’s service, please see Adobe’s response in the Comments section below.
Update 3: Experian also responded to my tweet and tweeted that they are looking into the problems reported by some Adobe customers, below.
Update 4: Please see the note from Wiebke Lips, Sr Mgr, Corporate Communications, Adobe, below.
Update 5: Despite Adobe’s and Experian’s assurances, some people are continuing to report problems. It appears that switching to Firefox from Chrome may enable you to use Experian’s site properly, so if you’re having trouble registering for their service, try switching to Firefox.
I tried to go to http://www.protectmyid.com/adobe to enroll in complementary credit monitoring and unable .please help.
The site looks like it’s working fine. What problem are you having? You do have an activation code, right? If you can’t get the site to work for you, call them at 1-877-297-7780
I cannot access the website either and calling the 877 number just gets a recording with no ability to reach an Experion help desk. Please see if this can be corrected, otherwise some of us cannot access the appropriate membership options, etc.
Look, folks, I’m just a breach blogger and can’t really fix this for you, but I did just tweet a message to Adobe and Experian asking them to look into this. Can’t be sure they’ll even read my tweet, but not much else I can do unless you start calling Adobe at 866-412-8699. If you do call them, let us know if it helps.
Hi everyone! Please try calling (866) 578-5413 to get to Experian instead. Let us how it goes. Thanks!
To Adobe Care: First you failed to protect my information. Next, you sent me a letter directing me to site that doesn’t exist. Then you told me to call them instead. When I did that they could not get the “unique” activation code to work either. Now what?
I can’t get it to work either. THE SITE IS NOT WORKING FINE. I think they are using the same IT people as Obamacare.
I tried too and the url auto-redirects to the main site and the activation code will not work. :-/
Same here
The website doesn’t work for me either. Come on Adobe – pull your finger out !!
To be fair, I’m not sure whose fault this is – Adobe’s or Experian’s. In any event, it’s clearly frustrating and the system and activation code(s) should have been fully tested before consumers were given instructions to use the system. Both Adobe and Experian have contacted me in response to my tweets about consumer frustration, and I hope they will post some update or information here.
can not access this site that is the one adobe wrote me
OK folks, no response to my tweet so I just called Adobe’s Press Relations hotline to alert them to your complaints and to ask for a statement. Let’s see if they respond.
Okay, Adobe has responded to my tweet, so hopefully they’ll look into this and post something here to help you all.
We have contacted Experian, and there does not appear to be an issue with the website or the activation codes included in the letters we have sent to customers. If you have received a letter from Adobe with the offer to enroll in a one-year complimentary credit monitoring membership, please visit the URL and personal activation code referenced in your letter.
Please note that the URL http://www.protectmyid.com/adobe is only accessible in the United States. The Experian call center for customers in the United States at (866) 578-5413 is staffed from 6am to 6pm PDT Mondays through Fridays and from 8am to 5pm PDT on Saturdays and Sundays.
For customers outside of the United States: Credit monitoring memberships are not available in all countries. If you received a notification letter from Adobe because your credit or debit card information may have been involved, please visit http://www.adobe.com/go/customer_alert for more information, including Adobe Customer Care contact details for your country of residence.
Thanks for responding, Wiebke. The people who have been complaining of problems are all within the U.S. (I can see their IP addresses). So please check back here tomorrow to see if people continue report problems. I’d hate for Experian (and Adobe) to think everything’s fine if it turns out consumers still can’t get the site to work for them.
Just call the 1-866-578-5413 and the rep helped me registered. She even ask me for the activation code that came from the letter. She was GREAT!
Glad to hear it! I hope they fix whatever the problem is so that people can just register/sign up without having to call them for help.
I tried so many times to get into the web site they kicked me out. Anyone here familiar with the phrase I wouldn’t use it if they gave it to me for free. Good Night America
Did you happen to try another (or second) browser? Based on what Adobe says, I’m beginning to wonder if there might be something in browser settings affecting some people but not others.
I have tried all evening to enroll with Experian- via my only browser, Chrome….I can get to the Experian site, but the site refuses to take the activation code provided..plus all cust svc numbers on this site are useless. While the hackers and thieves will feverishly work all weekend, Adobe nor Experian feels their lives should be disrupted to have to work this first weekend of the crisis. None of the cust svc numbers posted at this site have real human beings answering only recordings to call back on Monday- hopefully I won’t be cleaned out before a “cust svc” person can bother to return to work on Mon morning!.
What can be done if you do not have Firefox??????????
You could try disabling any extensions or pop-up blockers (i.e., temporarily disable privacy and security settings in Chrome) and see if that works, but I’m not sure why this is happening to some Chrome users, so that might not be a solution.
This may sound “flip,” but I’d say download and install Firefox. Or call Experian on Monday and register by phone.
Adobe is continuing to watch the comments on this site, so they will be aware of your report here.
Dissent, You are exactly right. It is a Chrome browser issue on my Mac. I’ve retried the URL in Firefox and the Activation Code screen comes up immediately.
I’m also a Mac user, and i can confirm that Firefox works fine, unlike chrome.
I use firefox and have been unable to access the site!
PC user: foxfire worked for me. Chrome and others did not.
if ur letter has anywhere on it PO BOX Chanhassen MN 55317 then you r giving ur info to scammers – if u r unsure google the address like i did and it takes you to http://www.ripoffreport.com which sites 57 instances asscociated with this address and a company called ECMC who are scammers who use ur info – check it out before u activate anything
Are you suggesting/reporting that some people are getting letters purporting to be from Adobe that are not from Adobe? Or is this a general warning that has nothing to do with the Adobe breach?
i made some kinda of mistake in my research but i don’t think i have and if it is concidence well, crap happens
Please note that the “PO Box 483, Chanhassen, MN 55317, USA” return address is the legitimate return address on the customer notification letters sent by Adobe for the incident announced on October 3. This PO Box address is owned and managed by the vendor handling the mailing of and returns for these letters on behalf of Adobe.
Thanks, Wiebke. This is a good example of how rumors can spread and can needlessly cause alarm. It’s always best for consumers who have any questions to go straight to the horse’s mouth to verify legitimacy.
this is true but this is all digital so wheres ur proof of who you are talking to at ‘Adobe’ ?
Because Wiebke Lips was the one from Adobe who contacted me in response to my voicemail. Ms. Lips has also exchanged emails with me about the problems, and all email to/from her has used an adobe.com email address and IP.
Hello all,
How about Puerto Rico? A US Commonwealth, all American Citizens and from where we pay, in American dollars all services, including our memberships, etc., etc.
I cannot access any of the numbers listed. Tell me what to do, please. Also, should my ID be stolen, who would be responsible?
Please advise.
Thank!
Hi Ofelia,
We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. If your credit or debit card information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you.
In terms of Adobe IDs and passwords, we have reset all passwords for Adobe IDs we believe to be involved and are in the process of sending email notifications to customers. Customers who have not yet received a notification but wish to proactively change their password on any Adobe service may visit the login page for their respective service to initiate the password change.
Additionally, you will find additional information, including contact details in the event you have questions, on our Customer Support page at http://www.adobe.com/go/customer_alert.
Hope this helps!
Following your instructions I joined? Firefox and got all signed up.
Why put me to the misery of getting another browser? Couldn’t someone used the system at their homestead to see whether the instructions worked.
From my correspondence with Adobe’s Corporate Communications, I can tell you that they personally tried it with Chrome, but it worked for them, so they were surprised at the problems people have reported here. I’m guessing that it’s some extension or setting that’s creating problems for a subset of Chrome users. In other breaches, I’ve occasionally seen comments on this blog about people having trouble signing up for Experian’s service. I think maybe Experian needs to check into this more and either fix something in their code or post instructions on their sign-up page to help people use their site. Note that Adobe has been very active/involved in this post and thread, while Experian has not showed up at all even though they did tweet to me in response to my request for their help for commenters here.
I had trouble with Firefox, but Safari worked for activation code
Please notify me when you solve this problem. I cannot connect with http://www.protectmyid.com/adpbe.
Did you try Firefox? The problem is not with Adobe but with Experian’s site. If you can’t connect via Firefox or any browser, you need to call them. It would be nice if they showed up here in this thread to respond to all the complaints and/or to post something on their sign-up page to help people.
the code did not work for me either.
Did you try Firefox?
i just got the letter today… and i’m a bit wary/suspicious of why they’d recommend a specific ‘protection’ company… does adobe have a stake in experian?
and does experian’s ProtectMyID Alert membership actually protect your financial/personal info from being hacked, or just deal with it after it happens?
I tired and the code did not work as well. When I called the number, the gentleman asked if I was trying to sign up for the Health Insurance Market Place….
Sorry, not giving that guy my SS number.
Had nightmare with my Health Insurance Exchange- appears they are all using Experian to verify applicants! Well, guess what? Can’t because of the security lock down! So now I have spent 2 days with my health insurance exchange trying to explain to them that they are going to have to “verify” me some other way as I am not releasing my id lock since this Adobe breach!
FYI, also couldn’t use activation code. Simple solution via experian’s help: Use IE (I was using google chrome) and use the site http://www.protectmyid.com/redeem instead of /adobe! Worked perfectly…now if only my state government’s healthcare website were so efficient…
Why would any legit site request such personal information?
Just tried to signup with Safari on MacOS but could not do so…this has been a doubly negative customer experience with Adobe: first the data breach; then the pain in the neck ‘free’ offer that is too difficult to use (and looks like a phony come-on). Plus the Experian service costs $15.95/mo. once the free year ends…who wants that monthly charge, because of Adobe’s carelessness?
Adobe could have automatically taken care of it for everyone all by themselves, buying everyone the membership. But they didn’t.
Now I’m doubly mad at Adobe–once, for not taking care of my data; and twice, for wasting my time.
Into the circular file with the Adobe mailer. I’ll think twice before buying another Adobe product until this has bee fully resolved.
PS, bad customer relations to send out mailings with a P.O.Box instead of a street address, looks suspicious, imho.
Um… how can Adobe sign up anyone for Experian’s service when they don’t have the necessary details/info on customers (such as SSN) to enroll people?
Personally, I’d be mad as hell if a company signed me up for any service without my authorization.
I do think they need to get on Experian’s case to make the online signup process easier for people, though.
chrome did not work for me either but internet explorer did work fine