Customer security alert

Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 3.1 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe that the attackers removed decrypted credit or debit card numbers from our systems.

We are also investigating the illegal access to source code of numerous Adobe products. Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.

Adobe's security team discovered suspicious activity during regular security monitoring

Our investigation is still ongoing. Cyber attacks are one of the unfortunate realities of doing business today. Given the profile and widespread use of many of our products, Adobe has attracted increasing attention from cyber attackers.

As a precaution, Adobe immediately reset passwords for all users whose current credentials (Adobe ID accounts with valid, encrypted passwords) were in the database that was taken by the attackers to help prevent unauthorized access to Adobe ID accounts. We sent email notification to these users with information on how to change their passwords. We recommend that customers change their passwords on any website where they may have used the same user ID and password.

We also notified customers whose credit or debit card information we believe to be involved in the incident. In addition to email notification, customers whose credit or debit card information was involved received a notification letter from us with additional information on steps they can take to help protect themselves against potential misuse of personal information about them. We also notified the banks processing customer payments for Adobe, so that they could work with the payment card companies and card-issuing banks to help protect customers' accounts.

We continue to work diligently internally, as well as with external partners, to address the incident. We contacted federal law enforcement and are continuing to assist in their investigation.

Adobe has reset passwords for all users whose current credentials (Adobe ID accounts with valid, encrypted passwords) were in the database that was taken by the attackers. We notified users in two ways:

• We sent email notification to all users whose credentials were in the database that was taken. We prioritized by notifying active users first, followed by notifying inactive users and users whose passwords in the impacted database were no longer current. We notified inactive users and users whose passwords were in the database because we recognized that they may be using the same user IDs and passwords on other websites.
• If your password was reset, you would have received, or will receive, a password reset notice on the login screen at the next attempt to log into your Adobe ID account. If you are not prompted to change your password at login, your current credentials were not in the database that was taken.
  

The email notification process took longer than originally anticipated given the number of email addresses and the practical limits on the number of notifications that could be sent at any one time. We also worked closely with Internet service providers to minimize the risk of emails getting blocked.

If you would like to change your password on any Adobe service, you may do so at any time. Change your Adobe ID password.
 

Adobe customers worldwide provide us with account information, so we took precaution and reset relevant customer passwords and notified any customers who have provided us with their credit or debit card information.

Yes.

We value the trust of our customers. We are working aggressively to prevent these types of events from occurring in the future. We are working diligently internally, as well as with external partners and law enforcement, to address the incident. 

We notified customers whose credit or debit card information we believe to be involved in the incident. Customers whose credit or debit card information was involved received a notification letter from us with additional information on steps they can take to help protect themselves against potential misuse of personal information about them.

Adobe has reset passwords for all users whose current credentials (Adobe ID accounts with valid, encrypted passwords) were in the database that was taken by the attackers. We notified users in two ways:

• We sent email notification to all users whose credentials were in the database that was taken. We prioritized by notifying active users first, followed by notifying inactive users and users whose passwords in the impacted database were no longer current. We notified inactive users and users whose passwords were in the database because we recognized that they may be using the same user IDs and passwords on other websites.
• If your password was reset, you would have received, or will receive, a password reset notice on the login screen at the next attempt to log in to your Adobe ID account. If you are not prompted to change your password at login, your current credentials were not in the database that was taken.

If you would like to change your password on any Adobe service, you may do so at any time. Change your Adobe ID password.
 

Please send us an email at privacy@adobe.com with your request.

If your Adobe ID and encrypted password were in the database that was taken, we have already reset your password. Adobe has sent notification letters to all customers whose encrypted credit card information was taken. If you did not receive the letter and would like to check to see if your credit card was impacted, please contact customer support. In some cases personal data such as first name, last name, address, and phone number were removed. If you have questions about what personal data was removed from our systems, please send us an email at privacy@adobe.com with your request.

We are aware that a number of websites have recently appeared, claiming to let users "validate" whether their Adobe IDs and passwords were taken and require a password change. These sites are not reliable sources of information on whether a particular user ID is at risk. The database taken by the attackers came from a backup system that had many out-of-date records and was designated to be decommissioned. Many records in the backup database taken by the attackers had no passwords or passwords that were no longer current associated with them. Adobe’s authentication system of record, which cryptographically hashes and salts customer passwords, is not the source of the database these sites are using.

We do not recommend sharing your email address with these websites. There is a risk that at least some of these sites may be designed to harvest valid email addresses for spam or phishing purposes.

In our October 3 announcement, we indicated that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also indicated that the attackers removed from our systems certain information relating to 3.1 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.

We did not reference a specific number of impacted Adobe ID accounts. We communicated the information we could validate at the time of the announcement. In the process of verifying and notifying customers whose Adobe IDs and passwords we believed to be involved, we eliminated invalid records. Any number communicated in the meantime would have been inaccurate.
 

If your Adobe ID and current password were in the database that was taken, we have already reset your password. If you use the original password on another site, you should change it immediately. We also recommend that you follow password best practices to ensure that your new password is secure:

• Don’t reuse passwords: Your password should be unique to your Adobe ID account. Don’t reuse a password you have previously used with your Adobe ID or a password you are using on any other website.
• Make sure that your password is difficult to guess: Your password should be at least eight (8) characters in length. It should contain a mix of different character sets, such as uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and special characters (# $ % & ; - _ { }). It should not use all or part of your name or your Adobe ID.
   

We are not aware of any zero-day exploits targeting Adobe products. However, we recommend that customers run only supported versions of the software, apply all available security updates, and follow the advice in relevant security hardening guides. These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products.

Adobe notified the banks that process customer payments for Adobe, so that they could work with the payment card companies and card-issuing banks to help protect customers' accounts.

We also notified customers whose credit or debit card information we believe to be involved in the incident. In addition to email notifications, customers whose credit or debit card information was involved received a notification letter from us with additional information on steps they can take to help protect themselves against potential misuse of personal information about them.

We also recommend that customers monitor their account for incidents of fraud and identity theft, including regularly reviewing your account statements and monitoring free credit reports. If customers discover any suspicious or unusual activity on their account or suspect identity theft or fraud, they should report it immediately to their financial institution.

Adobe recommends that customers change their passwords on any website where they may have used the same user ID and password.

Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident. However, we recommend that customers run only supported versions of the software, apply all available security updates, and follow the advice in relevant security hardening guides. These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products.

We value the trust of our customers. Security guidance and best practices for many Adobe products are available on our Security pages.

Security and in particular the security of customer information are very important to us. We are working diligently internally, as well as with external partners and law enforcement, to address the incident. We value the trust of our customers and will work aggressively to prevent these types of events from occurring in the future.

Cyber attacks are one of the unfortunate realities of doing business today. Given the profile and widespread use many of our products, Adobe has attracted increasing attention from cyber attackers. We are working diligently internally, as well as with external partners and law of enforcement, to address the incident. We value the trust of our customers and will work aggressively to prevent these types of events from occurring in the future.