Last month, Adobe Systems Inc. reported a serious security breach that compromised their product source code and the accounts of 150 million customers. Adobe has selectively notified only 38 million of their customers to date. Given the sheer volume of the breach, it is anticipated to take a great deal longer for all customer concerns to be addressed.
The stolen customer database was published online by those behind the attack and has since been widely circulated. Unfortunately, around 5,000 of the compromised Adobe accounts are clearly associated with Ryerson email addresses — used either as the Adobe user ID or as a means of contact.
Worse yet, the stolen data exposed password hints, many of which were chosen poorly. Some users submitted the password itself as a password hint; others used password fragments, or hints that the same passwords were being used at both Adobe and Ryerson.
At least one third party has deliberately targeted, analyzed and publicly posted the stolen details of the affected Ryerson users. The post has since been taken down, but it has highlighted the cascading risks from Adobe to Ryerson users, systems and data.
We have already issued an advisory twice in the last month regarding the critical need to:
- Reset the Adobe password (regardless of notification from the vendor)
- Ensure that all Adobe software is kept up-to-date
Furthermore, it is strongly emphasized that any Ryerson user who has an Adobe account must reset both their Adobe and Ryerson passwords
Finally, all Ryerson users are urged not to reuse their Ryerson password elsewhere.