Adobe Was Hacked - What You Should Do to Protect Yourself

I was going to write something about the success of Creative Cloud today, but news that Adobe has been hacked and that attackers gained access to confidential information from millions of customers put those plans on ice.

Since this is a pretty serious breach, I thought I'd share some thoughts on what you should do immediately if you are a Creative Cloud user, as well as, some tips on what you can do to protect your personal information when using cloud services.

But, first, if you haven't read anything about the security breach, here are some details from Adobe:

Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems.

If you want more in depth information on the security breach, check out this blog post from Brad Arkin, Adobe's Chief Security Officer.

Change Your Creative Cloud Password Immediately

Adobe said that it has automatically reset relevant customer passwords. Just in case it missed something, why not get in front of things and change your password. It's good practice to do this on a regular basis anyway.

Watch Your Credit Card Activity

If you have been using Creative Cloud, login to your credit card site over the next little while and watch for any suspicious transactions. Even with zero liability credit cards, it's good practice to monitor activity fairly regularly.

To this end, Adobe is going to offer a one-year complimentary credit monitoring service to customers whose credit card or debit card information was involved.

Change the Password On Other Sites Where You Used Your Creative Cloud Password

It's really risky to use the same password on different sites, but most of us do it anyway.

In this case, the hackers could look at all the email addresses that go along with the passwords they stole and see which people use Gmail, Hotmail, etc. Then they could go to these sites and try logging in with the stolen passwords.

Once someone is in your email box, they have access to a treasure trove of information. There are probably old reset password links, notifications from every service you use, etc. If you've used the same password on all these sites, it's really easy for someone to start taking over all of them.

If you used your Creative Cloud password on other sites, you should go to them immediately and change the passwords.

Use a Different Password on Every Site and Use Really Strong Passwords

I know you are going to say that it's a real pain to create strong passwords for every site that you use. I agree that it's totally unworkable if you are trying to remember all of the passwords yourself.

That's why I use a program called 1Password to manage all of my passwords. The software essentially stores the user-name and password all of your favorite sites on your hard drive. When you return to one of the sites it can automatically log you in. When you sign up for new sites, it will offer to generate a password and will store your credentials in an encrypted format.

The great thing is that you only need to remember the master password that is needed to open the application. Since you only need to remember one thing, you can make a really strong password and actually have a hope of remembering it.

1Password includes a password generator that can create a unique, and very strong password for every site that you use. You can tailor the recipe (number of characters, symbols, numbers, etc), and the password generator will copy it into the appropriate fields of the sign-up form, confirm the password, and save it in an encrypted format.

1Password offers apps for Mac, Windows, iOS, and Android, and allows you to sync your passwords between all of your different devices using Dropbox, iCloud or Wi-Fi. If you've ever tried manually typing fXopew9Eh9gNwY:CV{gv on an iPhone, you'll immediately see the benefit of this.

Using a tool like this is a much better strategy than using a couple of weak, but easy to remember passwords to secure different sites.

Use Two-Factor Authentication if Available

Cloud services are increasingly offering enhanced security options like two factor authentication. This essentially means that rather than just relying on a user-name and password, they will also ask for a physical access token.

For example, with Google's system, you install the Google Authenticator application on your smartphone and register it with your Google account. When you login to Gmail you are prompted for your usual user-name and password. If that is entered correctly, you are asked to enter a code that is generated by the Google Authenticator application.

Even if someone finds your user-name and password, they would not be able to gain access to your account unless they had access to your phone.

It's probably a good idea to use this on high value sites where there is lots of personal information or where there is financial risk. This includes things like PayPal, Gmail, Yahoo, Twitter, Facebook, Dropbox, Wordpress, Amazon Web Services, and Evernote.

Give Sites the Minimum Amount of Information They Need

Maybe you don't need to store your birth date and other personal information with every site you sign up for. Many ecommerce sites offer to remember your credit card information to make it easier to do repeat purchases. It's probably better to turn this off and enter the information manually with each purchase, or use something like LastPass to fill in this information for you.

Prune The List of Services You Use

It's easier to secure your personal information and watch for irregular activity if you can remember what you've signed up for in the first place. I'm going to spend the next couple of hours deleting accounts with services that I no longer use.

Set a Strong Password for Your Computer and Encrypt Your Hard Drive

It's convenient to boot right into your OS, but you stand to expose lots of valuable information if your computer is lost or stolen. Setting a strong login password is pretty simple, and encrypting the hard drive will render its contents unreadable if someone removes the drive from your computer. If you are using a Mac, encrypting your hard drive and all your time-machine backups is really easy with FileVault2, which is included with OSX.

Other Tips

If you have any other suggestions, please add them to the comments below.