Ok not many of you guys will be Adobe customers, but I am, and this is the first incident of this type that could have affected me I just recently upgraded to Adobe Lightroom 5 (photography digital darkroom) a great program that I use all the time, anyway I have scrambled around changed the account password (which was a low security password anyway and not used on any other sensitive sites) and breathed a sigh of relief when, on checking my upgrade, I found that I had paid using PayPal, my PayPal account is protected by a much more secure password and this effectively means that Adobe did not have a chance to store my card details. What is more alarming is that they think their software base may have been compromised which means that one could have any kind of trojan on one's computer and never know about it Official Announcement here http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html And the detail here http://helpx.adobe.com/x-productkb/policy-pricing/customer-alert.html#read_faq They still don't say anywhere 'WHEN' this actually happened which is quite important information that they should have published.
Just checked my order history and unfortunately I will be affected as my prior upgrade to version 4 earlier this year was a payment direct to Adobe Before that my last upgrade was 2010 so that card is dead anyway but the one I used in March is still alive. I tend to believe Adobe they would not have unencrypted details of the cards outside the moment that the transactions happened and that nothing has happened in my account in the last 6 months is a good sign, however the hackers have full name and address details and what will be fairly easy brute force reversible hashes of the card details. The unencrypted name and address details are the worst aspect as this opens up identity theft (applications for credit in someone's name). The cards on the other hand, well with 2.9 million sets of details to crack by brute force it will take them a while and by then my card at least will probably be dead so that side is less of a worry.
Seems like no organisation, however big or small is safe. I use Cloudns to host the DNS for 10 domains, they were hacked as well, but they haven't admitted to it yet.
And to think Adobe are now trying to tie people into contracts to subscribe to their software (which becomes null and void once you stop the payments). They get hacked all the time.. The day they released their new software model, they got hacked and the software found its way on warez sites.
Some websites will only store information about credit cards if you want them too. I think that should be the norm. Other sites, such as Google Play and Amazon allow card details to be deleted, but you have to remember to do that after each and every transaction. I don't think any website would store the CVV code but many websites, including Amazon, don't require the CVV code to be entered in order to complete a successful transaction anyway. There are also algorithms for calculating the CVV code from the card number and expiry dates. If you are only using short passwords (8 characters or less) is is relatively trivial to derive your real password from its encrypted (hash) form, should hashed passwords be stolen by such an attack.
