Summary
- Adobe 2013 customer-data breach, password storage, source-code exposure, customer reset, and long-tail identity accountability record.
- Adobe's 2013 customer-data breach exposed account records and source-code risk while forcing a public reckoning with password protection, notification, and long-tail credential reuse.
- Who had practical control over password-storage design, source-code protection, breach notice, customer reset, exposed-field minimization, settlement evidence, and proof that legacy account systems did not keep transferring risk after the disclosure date?
- The accountability issue is that password storage decisions made before a breach can keep imposing costs after the company has reset accounts and moved public attention elsewhere.
- Customers, developers, software buyers, identity-risk teams, regulators, class-action entities, and security engineers needed evidence that account-system repair addressed persistent credential and source-code risk.
Why this case belongs in a risk and accountability file
Adobe made password-storage evidence a long-tail identity accountability test because the 2013 breach was not only a disclosure event. It became a public lesson in how old account systems, password-storage choices, customer notification, software source-code custody, and subscription-era identity dependence can keep transferring risk after a company has told customers to reset passwords. The central accountability question is not whether Adobe eventually acknowledged more affected accounts than the first public number.
It is whether the public record let customers and software buyers understand the durable consequences of the storage design and the repair.
The case is old enough that it can be misremembered as simple history. That is dangerous. Adobe's old customer-security announcement at http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html and source-code announcement at http://blogs.adobe.com/asset/2013/10/illegal-access-to-adobe-source-code.html were early public records of customer data and product source-code compromise. Later reporting, including BBC coverage at https://www.bbc.com/news/technology-24740873, described the expansion from the initially reported 2.9 million affected customers to about 38 million active users and noted source-code exposure involving Photoshop as well as earlier Acrobat and ColdFusion references. The numbers matter, but the design lesson matters more.
Password storage is a pre-breach decision that becomes public only after failure. If a company stores password material in a form that helps attackers build guesses, the reset does not erase the harm. Attackers may not need the original service anymore. They can test the same or similar credentials elsewhere, use password hints to infer patterns, combine email addresses with other exposed data, and keep benefiting from a weak storage design long after the primary site is repaired. That is why the article treats the breach as a long-tail identity record rather than a momentary security headline.
Source-code exposure adds a second time horizon. The SANS Internet Storm Center FAQ at https://isc.sans.edu/diary/The+Adobe+Breach+FAQ/16727 discussed customer data, source code, and ColdFusion context soon after the disclosure. Security coverage from Krebs at http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/ and Ars Technica at http://arstechnica.com/security/2013/10/adobe-source-code-and-customer-data-stolen-in-sustained-network-hack/ also framed the event as both customer-data and source-code compromise. Source code does not create the same risk as a password table, but it can change attacker economics by revealing implementation details, product assumptions, and potential vulnerability paths.
This article does not treat every secondary claim as a proven internal fact. It separates Adobe statements, contemporaneous reporting, technical analysis, and present-day standards. Current Adobe Trust Center pages such as https://www.adobe.com/trust.html and https://www.adobe.com/trust/security.html are used for current security-program vocabulary, not as proof of 2013 controls. OWASP and NIST materials are used for password and identity principles, not as retroactive legal findings. That source discipline matters because long-tail accountability depends on distinguishing what was known, what was later reported, and what still remains outside the public record.
Password storage can transfer cost after the reset
The ordinary response to a breached password database is a reset. A reset is necessary, but it does not answer the whole risk. If the original password storage allowed meaningful offline guessing, attackers may learn the user's password habits even after the Adobe account can no longer be accessed with the old secret. If the same or related password was reused elsewhere, the user's other accounts may remain exposed. If password hints were available in clear or guessable form, they may continue to help attackers. The long-tail cost falls on the user, not only on the breached company.
Ars Technica's password-focused analysis at http://arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers/ became influential because it explained why the form of password protection matters. The article should not be reduced to a technical scolding. It raised an accountability principle: storage design determines how much value attackers can extract after exfiltration. A strong system assumes that database theft is possible and stores password verifiers so that theft is less useful. A weaker legacy system may turn the database into a training set for password crackers.
OWASP's Password Storage Cheat Sheet at https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html provides modern vocabulary for this issue: slow password hashing, salting, work factors, peppering where appropriate, and migration away from weak schemes. Those concepts are not after-the-fact ornament. They define what evidence users and auditors need. When a company says passwords were reset, the public file should still ask what storage design was retired, what new design replaced it, how old records were migrated, whether inactive records were retained, and whether password hints or related account-recovery artifacts were minimized.
NIST's current digital identity guidance at https://pages.nist.gov/800-63-4/sp800-63b.html reinforces the point that authentication is a lifecycle. It includes issuance, maintenance, invalidation, session controls, and redress. A password reset is one event in that lifecycle. Account recovery, MFA options, compromised-secret screening, reauthentication, and redress for authentication problems all matter after a breach. For Adobe, the long-tail issue is whether customers received enough evidence to know how far beyond the Adobe account their credential risk might travel.
The public record shows why "encrypted" can be an limited public evidence user-facing word. Encryption, hashing, salting, and password hints have different consequences, but many notices compress those distinctions into broad reassurance. Users do not need cryptographic lectures, but they do need the practical outcome. Can attackers reverse or efficiently guess the old passwords? Were hints exposed? Were inactive accounts included? Were customer IDs, email addresses, payment records, or other attributes tied to the same file? The notice should answer the user's risk question, not only the company's disclosure category.
Source-code exposure turns a breach into a software-lifecycle problem
Adobe's 2013 event also belongs in this series because source-code exposure extends beyond customer identity. The old Adobe source-code announcement, the SANS FAQ, Krebs reporting, BBC coverage, and Ars Technica coverage all treated the incident as involving source code for major Adobe products or components. Public reporting referenced Acrobat, ColdFusion, ColdFusion Builder, and later Photoshop. The accountability question is not whether source-code exposure automatically creates a known exploit. It is whether the company can prove that product-security review, vulnerability response, and customer guidance changed to match the new risk.
Software lifecycle and lock-in are central to Adobe's accountability surface. Many customers depend on Adobe tools for creative production, document workflows, public-sector forms, enterprise marketing, and PDF handling. They cannot instantly migrate away after a source-code event. That dependency gives the vendor a duty to provide clear product-security evidence: which products were affected, which branches were reviewed, which patches or hardening steps mattered, and how customers could monitor later advisories. Adobe's current security bulletin index at https://helpx.adobe.com/security/security-bulletin.html shows the ongoing vocabulary of advisories and patches, but the public needs the bridge from a source-code event to later product-security assurance.
Source-code custody is also a governance issue. It involves repository access, segmentation, secrets management, build controls, code review, logging, insider and external access monitoring, and incident response. Current Adobe security pages such as https://www.adobe.com/trust/security/product-security.html and https://www.adobe.com/trust/security/incident-response.html describe present-day security-program concepts, including secure product lifecycle and incident response. They are useful because they show what a modern reader should expect to see in an evidence file, even though they cannot prove exactly how the 2013 systems worked.
The long-tail risk is not that attackers hold source code forever in a simple way. It is that defenders need assurance that the exposed code was reviewed through a different lens. If attackers could inspect implementation details, product teams should ask whether obscurity had been treated as a hidden control, whether shared components required review, whether customer-facing hardening guidance should change, and whether historical vulnerabilities should be reexamined. Public-sector continuity enters the file because widely deployed document tools and web application platforms can become institutional dependencies.
A product-security event at that scale is not a private inconvenience.
This is why the evidence file has to connect customer data and source code rather than treating them as separate headlines. Password exposure affects users and identity teams. Source-code exposure affects developers, enterprises, and software buyers. The same breach response needs separate tracks, but those tracks should share a chronology and a governance owner. If the company says customers should reset passwords while product teams quietly review source code, outsiders cannot judge whether the event has been contained. Accountability requires both tracks to be visible enough for dependent organizations to plan.
Notice quality determines whether users can protect other accounts
Adobe's notice problem was not only the initial affected-user count. It was the practical question of what users should do beyond Adobe. BBC coverage at https://www.bbc.com/news/technology-24740873 reported that Adobe reset passwords and that reused credentials on other services remained a risk. That is the core of long-tail identity accountability. The company can disable the old Adobe password. It cannot reset every other account where the customer reused it. The notice therefore has to say enough about credential risk to prompt proportional action elsewhere.
Effective notice would separate several things: active accounts, inactive accounts, customer IDs, email addresses, encrypted passwords, password hints, payment-card data, source-code exposure, and reset status. It would also explain what the company could not validate yet. In a fast-moving incident, numbers can change. That does not make early disclosure useless. It means early disclosure should be explicit about uncertainty. A user can understand that a count may grow. The user cannot act well if a notice collapses all uncertainty into a confident but incomplete statement.
FTC breach-response guidance at https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business helps because it treats notice as part of response, not public relations. The FTC's personal-information guide at https://www.ftc.gov/business-guidance/resources/protecting-personal-information-guide-business also points to minimization and safeguards before the incident. For Adobe, the user-facing issue is whether notice translated technical facts into steps: reset Adobe password, change reused passwords elsewhere, monitor payment accounts, watch phishing attempts, and understand what source-code exposure did or did not mean for product users.
The same logic applies to class-action entities and regulators. Legal processes often focus on standing, damages, settlement, and procedural proof. Those records matter, but they do not replace technical evidence. Customers needed to understand the continuing risk to their identities and accounts. Regulators needed to understand whether storage design, inactive records, password hints, and notice practices matched reasonable security expectations. Software buyers needed to understand whether product-security review reached the affected code. A single disclosure channel rarely serves all of those audiences unless it is deliberately structured.
The notice standard should therefore be measured by downstream decisions. Could a customer identify whether they should change passwords on other services? Could an enterprise identity team decide whether to search for Adobe-password reuse in corporate accounts? Could a developer decide whether to monitor Adobe advisories more closely? Could a public-sector buyer ask the right procurement and patch questions? If the notice did not support those decisions, it left long-tail risk outside the company's accountability frame.
Inactive records make legacy systems part of the harm
Inactive records are a recurring problem in old account breaches. BBC reporting stated that Adobe believed the attackers had accessed details from accounts unused for two or more years in addition to active users. That fact matters because inactive accounts often receive less attention from both companies and users. A user may not remember an old Adobe ID, may not monitor its email address, may have reused the password years ago, and may not understand why an old creative-software account creates present identity risk. The company's retention and migration choices therefore shape the user's current exposure.
Legacy account systems also complicate repair. If an old password-storage system was scheduled for retirement or was not part of the current authentication path, the company still has to prove that records in that system cannot keep leaking value. Retiring a system after a breach is not enough if legacy copies, backups, logs, hints, or inactive accounts remain. The public file should state how old stores were inventoried, how they were protected, how they were removed or migrated, and how the company verified that no parallel credential record continued to carry risk.
Data sovereignty and locality appear here as practical record-governance concerns. Adobe served global customers, and identity records may cross product, subscription, support, payment, and regional boundaries. A customer in one jurisdiction may have different notice rights than another, but the technical risk of a password hint or reusable password does not respect that boundary. A long-tail accountability file should explain data categories in a way that travels. It should not require each jurisdiction, customer, or buyer to reconstruct the storage design from fragments.
The NIST Cybersecurity Framework at https://www.nist.gov/cyberframework and CIS Controls at https://www.cisecurity.org/controls provide a way to think about this without making unsupported claims about Adobe's internal systems. Inventory, identity management, data protection, logging, incident response, and recovery are all relevant. A board review should ask whether the company can list old account stores, identify which ones contain authentication material, name the owners, document the retention reason, and prove that obsolete stores have been eliminated or hardened.
The Adobe case remains useful because it shows how a breach can reveal the archaeology of an account system. Companies often modernize front doors while old record stores remain in the basement. Customers cannot see that basement. They learn about it only when an incident exposes it. That asymmetry is the reason legacy systems need public accountability when they create current risk.
Standards are not a verdict, but they define the repair evidence
Modern password-storage standards should not be used lazily as a retroactive verdict on a 2013 system. Technology changes, threat models change, and public guidance evolves. But standards are still necessary because they define what repair evidence should look like now. OWASP password guidance at https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html, NIST identity guidance at https://pages.nist.gov/800-63-4/sp800-63b.html, CISA secure-by-design guidance at https://www.cisa.gov/securebydesign, and Adobe's current security program pages together show the vocabulary of a stronger repair record.
The repair evidence should answer several questions. What password-storage scheme was involved? Was it one-way, salted, slow, and tuned for offline attack resistance? Were password hints stored, and if so, why? Were inactive accounts retained with the same data as active ones? Were old systems decommissioned or merely hidden from ordinary login paths? Did the reset invalidate sessions and tokens? Were users prompted to change reused passwords elsewhere? Were enterprise administrators given indicators to search for exposure? Were product-security teams given source-code review requirements?
Those questions are evidence questions, not accusations. A company can answer them in a way that protects sensitive implementation details. It can describe classes of systems, remediation steps, migration milestones, and external assurance without publishing exploit recipes. What it should not do is ask customers to accept "we reset passwords" as the full repair. A reset is visible. Storage migration, hint minimization, inactive-account cleanup, and source-code review are less visible. That is exactly why they need accountable evidence.
The public file should also distinguish standards documents from legal duties. The FTC guides are business guidance. NIST and CISA documents are public standards or guidance. OWASP is community security guidance. Adobe's Trust Center is company-authored. None of those sources alone is a court finding. But the overlap among them is useful: strong authentication, sound password storage, minimization, incident response, product security, and redress all appear as durable control themes. A long-tail accountability article uses that overlap to define the repair file that customers deserved.
This approach avoids a common error in retrospective breach writing. It does not say, "Here is a modern checklist, therefore the old company failed every item." It says, "Here is the evidence that would now be necessary to show the risk stopped transferring." The distinction matters. Accountability is not only a moral judgment about the past. It is a demand for proof that old design choices no longer harm people who cannot inspect the system themselves.
Product trust and identity trust moved together
Adobe's breach mattered because product trust and identity trust moved together. Customers used Adobe accounts for software access, subscription management, payment, updates, support, and identity. Developers and enterprises depended on Adobe products for document and creative workflows. Public-sector organizations depended on Adobe formats and tools across forms, records, and communication. When customer data and source code appeared in the same public incident frame, the company had to protect both the identity layer and the product layer.
That dual trust surface is visible in current Adobe pages. The Trust Center at https://www.adobe.com/trust.html emphasizes security, privacy, availability, compliance, and product resources. The security overview at https://www.adobe.com/trust/security.html discusses secure product lifecycle, operational security, incident response, and security bulletins. The incident-response page at https://www.adobe.com/trust/security/incident-response.html describes the present approach to monitoring and resolving incidents. The product-security page at https://www.adobe.com/trust/security/product-security.html describes repeatable development processes. Those pages are current, not 2013 evidence. They nevertheless show the integrated proof structure a modern software buyer should expect.
A buyer should be able to ask: if customer passwords were exposed, what changed in identity systems? If product source code was accessed, what changed in product-security review? If old systems held password material, what changed in lifecycle management? If customers had to reset credentials, what guidance helped them handle reuse elsewhere? If old code or old account stores created risk after the disclosure date, what evidence closed the tail? Product trust and identity trust cannot be split when the same account unlocks software, payments, support, updates, and enterprise administration.
This is also where software lifecycle and lock-in become accountability topics rather than business abstractions. Customers often cannot leave a core software vendor quickly. Their files, workflows, staff training, integrations, and procurement schedules keep them dependent. That lock-in increases the vendor's duty to provide usable evidence after a breach. A customer who cannot easily exit needs to know how to keep using the product safely. A vague notice makes lock-in more costly because it leaves the dependent customer to invent its own assurance plan.
The Adobe case therefore remains relevant for cloud and subscription software today. Account systems accumulate old data. Source repositories and build systems become high-value targets. Customers rely on vendor-controlled identity layers. Public-sector users depend on file formats and update channels. A breach that exposes account material and product source code becomes a test of whether the vendor can convert private repair into public assurance without exposing new sensitive details.
The long tail is where accountability is usually lost
Long-tail identity risk is difficult to govern because it outlasts the incident calendar. The company may complete a reset, close an investigation, update a product-security page, and publish new advisories, while customers keep carrying credential habits learned by attackers from the old dataset. That is why the Adobe case remains valuable. It shows that the unit of accountability is not only the breached database. It is the chain of later decisions that customers, enterprises, and security teams must make with partial knowledge of what the database revealed.
The long tail also changes the meaning of harm. A user might not lose money from the Adobe account itself. The user might instead receive targeted phishing, discover that an old password was reused in an unrelated service, spend time reviewing payment records, or become part of a password-cracking corpus that improves attacks against other people. Those costs are diffuse and hard to quantify, but they are not imaginary. They arise from the fact that password material, email addresses, hints, and account history can be recombined after the original account is locked.
Enterprises face a parallel problem. A corporate identity team may have employees who used work email addresses for Adobe accounts or reused related passwords. The team needs to know whether to search for compromised secrets, force resets, check single sign-on exceptions, warn staff, or monitor phishing campaigns. That decision depends on the quality of the public evidence. If a vendor's notice explains only that passwords were reset, it leaves enterprise teams to infer the rest. If the notice explains storage design, affected populations, inactive records, and recommended enterprise actions, it becomes a usable control input.
Public-sector buyers have another dependency. Adobe tools are often embedded in document workflows, form handling, creative production, procurement records, and public communications. A source-code event may not require every agency to stop using the product, but it should trigger questions about advisories, update cadence, compensating controls, and vendor assurance. The accountable vendor does not have to publish sensitive code details. It does have to give customers a reasoned basis for continuing operations safely.
The long tail is where accountability is usually lost because everyone is tired by then. The press has moved on, the legal file is slow, users have reset passwords, and product teams have returned to scheduled work. But attackers do not care about the incident calendar. They care about reusable secrets, code insight, and weak follow-on controls. A mature repair record therefore needs a maintenance phase: updated customer guidance, enterprise administrator notes, product-security follow-up, and confirmation that old stores were cleaned up rather than simply forgotten.
Evidence should travel from security teams to customers
Another lesson from the Adobe case is that private security work has to be translated without being emptied of substance. Security teams may know which stores were exposed, which cryptographic scheme was used, which code repositories were reached, which customer groups were notified, and which systems were retired. Customers do not need the raw internals, but they do need an accurate public version of those facts. If the translation removes the distinctions that matter, the notice becomes less useful than the private evidence that produced it.
The translation should be deliberately layered. The first layer is for individual users: reset the Adobe password, change reused passwords elsewhere, be alert for phishing, monitor payment instruments if relevant, and understand whether payment-card data was involved. The second layer is for enterprise administrators: identify affected corporate email domains, assess credential reuse, monitor login failures, communicate with staff, and track vendor advisories. The third layer is for software buyers: ask about source-code review, secure development changes, bulletin cadence, and support commitments.
The fourth layer is for regulators and courts: retain dates, counts, data categories, notice records, and remediation proof.
Each layer should preserve the same facts with different levels of technical detail. That is the best way to avoid contradiction. If users are told only to reset passwords while administrators are told that source code was exposed, the public file appears fragmented. If lawyers describe encrypted password material while security analysts explain why the design still aided cracking, the public may hear reassurance and alarm at the same time. A strong accountability file makes those statements compatible by explaining the practical consequence of each term.
Adobe's present Trust Center language is relevant because it shows that companies now understand assurance as a public product. Security program descriptions, incident response pages, product-security pages, and bulletin indexes are part of how buyers judge trust. The lesson from 2013 is that those public assurance systems should be ready before a breach forces them to carry a complex story. A trust page that exists only for sales cannot do the work. A trust page connected to evidence, advisories, and accountable owners can.
The repair file should therefore be designed as an evidence pipeline. Internal forensic findings become customer categories. Customer categories become notices and administrator guidance. Product-security findings become advisories and lifecycle changes. Legal records become procedural accountability without replacing the technical record. Standards become benchmarks for future assurance. When that pipeline is missing, each audience builds its own interpretation, and the company loses control of the public meaning of its repair.
A complete Adobe repair file would preserve the tail
A complete repair file would start with a validated chronology. It would list when the intrusion was detected, when customer data exposure was confirmed, when source-code access was confirmed, when affected counts changed, when password resets occurred, when customer notices went out, when inactive records were assessed, and when product-security reviews or advisories followed. Each date should identify the evidence available at that time. The point is not to punish early uncertainty. It is to prevent later summaries from erasing the uncertainty that shaped customer decisions.
The second part would be a storage-design record. It would explain the password-storage system involved, the treatment of salts, work factors, encryption or hashing, password hints, inactive records, and migration to stronger storage. It would also describe which legacy stores were decommissioned, which backups were retained, and how old credential material was made less useful. Customers do not need the secret implementation details. They do need confidence that the old design stopped transferring risk.
The third part would be a customer action record. It would separate Adobe-account resets from reused-password risk elsewhere. It would give enterprise administrators guidance for searching corporate credential exposure. It would give individual customers clear advice about changing reused passwords, watching payment accounts, and resisting phishing based on the breach. It would explain whether credit monitoring or identity-theft help applied to specific populations. It would preserve differences between payment-card exposure, account-ID exposure, password exposure, and source-code exposure.
The fourth part would be a product-security record. It would explain which product source-code repositories were involved, which product lines were reviewed, which advisories or patches were related if any, and how customers should monitor future bulletins. It would also explain what was not known. Source-code exposure is not the same as a confirmed vulnerability in every product. But it changes the assurance burden. A software vendor should be able to show that it examined the code and the development pipeline with the exposure in mind.
Finally, the repair file should have a closure standard. Closure should not mean that public attention moved on or that the first password reset finished. Closure should mean that old account stores were inventoried, storage design was strengthened, inactive records were addressed, product-source exposure was reviewed, customer guidance was delivered, and remaining uncertainty was named. For Adobe, the long-tail lesson is that password-storage evidence has to outlive the news cycle.
Reader evidence file
The article uses the following public sources as a reading file for Adobe 2013 customer-data breach, password storage, source-code exposure, customer reset, and long-tail identity accountability record. Company announcements are treated as evidence of what Adobe publicly said at the time. News and security analysis are used for chronology and technical context. Current company trust pages and standards guidance are used to define modern repair evidence rather than to prove 2013 internal controls.
- Public source used for the evidence file: http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html
- Public source used for the evidence file: http://blogs.adobe.com/asset/2013/10/illegal-access-to-adobe-source-code.html
- Public source used for the evidence file: https://www.bbc.com/news/technology-24740873
- Public source used for the evidence file: https://isc.sans.edu/diary/The+Adobe+Breach+FAQ/16727
- Public source used for the evidence file: http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
- Public source used for the evidence file: http://arstechnica.com/security/2013/10/adobe-source-code-and-customer-data-stolen-in-sustained-network-hack/
- Public source used for the evidence file: http://arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers/
- Public source used for the evidence file: https://www.adobe.com/trust.html
- Public source used for the evidence file: https://www.adobe.com/trust/security.html
- Public source used for the evidence file: https://www.adobe.com/trust/security/incident-response.html
- Public source used for the evidence file: https://www.adobe.com/trust/security/product-security.html
- Public source used for the evidence file: https://helpx.adobe.com/security/security-bulletin.html
- Public source used for the evidence file: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
- Public source used for the evidence file: https://pages.nist.gov/800-63-4/sp800-63b.html
- Public source used for the evidence file: https://www.ftc.gov/business-guidance/resources/protecting-personal-information-guide-business
- Public source used for the evidence file: https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business
- Public source used for the evidence file: https://www.cisa.gov/securebydesign
- Public source used for the evidence file: https://www.nist.gov/cyberframework
- Public source used for the evidence file: https://www.cisecurity.org/controls
This evidence file is deliberately wider than one announcement because the long-tail problem crosses password storage, inactive records, source-code custody, account reset, product assurance, and software-buyer dependency. The public record should let readers separate customer-identity repair from product-security repair without pretending those duties are unrelated.
Board review questions
A board review should ask who owned the legacy account stores, who owned password-storage migration, who owned customer notice, who owned source-code repository access, who owned product-security review, who owned enterprise-customer guidance, and who owned closure. The answer should be a control map, not a narrative of effort. Control maps make it harder for old systems to remain everybody's risk and nobody's named duty.
The review should also require evidence that inactive records are governed. Old accounts, old backups, old hints, and old authentication stores should have owners, retention reasons, protection standards, and removal dates. If a product move to subscription increases the value of account identity, the company should revisit old stores before attackers do. Legacy does not mean harmless.
The board should require a source-code exposure playbook. It should define repository isolation, credential and secret rotation, code review triggers, customer advisory rules, product-hardening review, and evidence for dependent customers. A source-code event may not require public details about every internal repository, but it does require enough assurance for customers who must keep using the software.
For this specific case, a board review should ask whether who had practical control over password-storage design, source-code protection, breach notice, customer reset, exposed-field minimization, settlement evidence, and proof that legacy account systems did not keep transferring risk after the disclosure date? The answer should include dated evidence, named owners, password-storage migration proof, inactive-record cleanup, product-security review, customer-action guidance, and residual uncertainty that did not disappear when the first reset completed.

