Adobe information breach affects students’ MyASU accounts

Thousands of ASU students received email notifications telling them to change their MyASU password because of an Adobe information breach this November.

Communications graduate student Jason Striker, communications manager of the University Technology Office at ASU, said the office was working to spread the word of the impending danger.

“(The breach) affected the 2.9 million Adobe customers,” he said. “This included anyone with an ASU domain.”

Once the University received notice of the breach, it acted quickly.

“Once this was published and made public through Adobe … the information security office here actually scanned that for all of the asu.edu so any user IDs that were published or emails that were used at asu.edu were scanned,” Striker said.

The UTO sent out an email to users who may have been affected by the breach.

“(Giving) advice to keep (students’) privacy and security intact was the main concern of the University,” Striker said.

To counter the hack in the system, students were required to update their passwords. In addition, they were encouraged to create a new security question.

“If they hadn’t (updated their password) by the 22 of November, they would have been forced to change their password,” Striker said.

If their passwords were not changed by the set date, students’ accounts would be locked until the change occurred.

According to the Adobe website, the hackers gained information of user IDs and encrypted passwords. The site also said it was possible, though unlikely, that the attackers gained information pertaining to customers including identifications, addresses, credit card numbers and other disclosed information.

Customer identification was only taken from Adobe sites, Striker said.

“From the University perspective … nothing was breached here,” Striker said. “The only thing that we did was enhance our security measures around those affected users.”

Art educator Alisa Spavronskaya said she vaguely remembers about these security enhancements but didn’t think anything of it at the time.

“Although I appreciate their security precautions, I think it’s a bit annoying,” she said. “They already make us change our password so many times anyway.”

The Adobe site said members of the security team have not discovered risks that may occur to customers through continuing Adobe service. The site did, however, encourage changing identical passwords.

“Some people use the same password across domains,” Striker said.

These domains include email addresses, Facebook accounts and Twitter profiles. If a password is the same for all these, and the same used with the asu.edu account, the attacker would have access to large quantities of consumer information.

Brian Krebs is an investigative reporter for Krebs on Security, an Internet security blog, who caught wind of this breach through an investigation he did in March.

He said although he isn’t sure, signs point to the people who breached the original company are from the same organization that broke into Adobe.

“Either the same guys (broke) into all these different companies, or lots of different guys (using) the same infrastructure,” he said.

He alerted Adobe about this possible breach, one that involved a source code. He said Adobe was already aware of it, but his actions may have pushed the company to disclose information sooner than it planned.

Source coding is computer programming that is written in a way the developer can understand but is difficult for others to access. The attackers discovered a way to infiltrate it.

“I wouldn’t say that anybody found a way to stop them,” Krebs said.

Adobe representatives declined to comment.

Reach the reporter at lmnewma1@asu.edu or follow him on Twitter @Logan_Newsman