News Adobe breach leaks source, millions of customers' details

I don't talk about the source code, that is a separate question. But for the rest :
1) credit card data CANNOT be hashed. Hashing is a one way function, data cannot be restored from hash. Hashing is useless for anything else but passwords in this context.
2) if credit card data was encrypted, then to be able to show/edit credit card information to users via website it has to have access to the credit card information, and have access to decryption keys. And because that key has to be part of the website, it is pretty much useless, unless we talk about database-only hack, which is not what happened here, as this one looks like complete hack including internal systems.

 

Maybe i cant judge, but i can form an opinion based on what is known.

This attack happened in mid-August (6-8 weeks ago), Adobe has been working on an investigation into a potentially broad-ranging breach into its networks since Sept. 17 (2-3 weeks ago), Customers only received notification this week. They have only bothered to notify their customers because a third party discovery 40GB of Adobe source code out in the wild
http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/

It believes but doesn't have actual proof in the form of logs and such, it doesn't even know how many user names and passwords have been compromised

Again we are told it believes (meaning without absolute proof)

Adobe’s Chief Security Officer Brad Arkin doesn't even know what software the servers he is responsible for are running and also runs out-of-date software.
You are free to form you own opinion on how Adobe has put millions of people at risk based on the facts we do have, but i think its safe to say the information we do have doesn't paint a pretty picture of Adobes so called security.

@faugusztin, We both seem to have conflated hashes with encryption, when it is more than likely Adobe used a block cipher (A block cipher is reversible: if you know the key)

 

So how do Adobe compare to other companies that we trust our data with?

News articles can be easily written to make a situation sound good or bad.

I agree, it doesn't sound great that Adobe chose to leave this from the public eye for so long. I would expect the reason for this to come out at some point soon, there will be someone somewhere who is willing to explain - although again, by that time Adobe could have written some spin to put on it.

Bottom line is that data is never really safe. You gotta make the most of a bad situation - bit like life really...

 

Well Sony got fined £250k when the PSN got hacked, and you only have to look at the fines issued by the ICO to see the problem is very bad.

2010 - 2 fines totalling £160,000
2011 - 7 fines totalling £541,100
2012 - 17 fines totalling £2,143,000

Yet company's keep insisting the cloud and subscription based services are the way of the future.

Yes news articles can be written with bias, but when it uses quotes and confirmations from an interview you tend to take them on face value.

Yes data is never really safe its all a matter of degrees, but you would expect a third party to take the same or better security measures than you do. If i had the slightest suspicion of a data breach i would act immediately to change passwords or cancel CC's

 

I just want to extend a little on what Faugusztin is saying in point 1, for those who are still not following.

When you first sign up for a service and enter a password this password is put through a hashing algorithm (there are many to choose from), which returns a random string of characters, which is then stored as your password in the database. Now you cannot reverse engineer this which is why, if you forget your password you have to reset it.

You can increase the security further by adding in what's called a 'salt', which adds a string of characters to you password and then hashes it.

Now, the hashing is consistent in that the same password you enter whenever you log in will always produce the same hashed string, as long as the same algorithm is used, so you log in, your password is hashed and then compared to the hashed password in the database. If they match you're then logged in.

Obviously, this won't work for credit card details as the company providing the service to you needs to present those card details to the bank for every recurring payment and if it was hashed they couldn't retrieve those numbers. You could potentially do it if the bank used the same hashing and salt as the vendor but then the bank opens itself up to huge security risks.

Banks also demand what's called PCI compliance from anyone using their services for online payments, which dictate how customer details are stored and the security measures you need for compliance but that's not really relevant here.