Customer names, IDs, encrypted passwords and credit card numbers, and other important, personal information for millions of customers of the multimedia software company Adobe Systems Inc. has been purloined in an monumental hack of the company's corporate network. The hackers were able to access the source code of some of Adobe's most popular software as well.
Adobe is now playing damage control, as it announced on Wednesday that it was investigating "illegal access of source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products by an unauthorized third party."
Brad Arkin, CSO for Adobe, said on the company's blog, "We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders."
He added, "At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems."
A "New Generation of Viruses"
Brian Krebs of KrebsonSecurity first caught the attack, in an investigation assisted by Alex Holden of HoldSecurity. Krebs wrote on Thursday that he first became aware of the source code leak a week before it was announced, when he and Holden found a huge 40GB source code "trove" on a server believed to be used by the same black hat hackers who breached LexisNexis secure database earlier this year.
Of the source code archive discovered, Holden said, "it appears that the breach of Adobe's data occurred in early August of this year but it is possible that the breach was ongoing earlier. While it is unclear at this time how the hackers obtained the source code and whether they analyzed or used it for malicious purposes, it appears that the data was taken and viewed by unauthorized individuals."
Holden continued to state that the security breach "poses a serious concern to countless businesses and individuals" and that, while they are not aware of any specific malicious use, "effectively, this breach may have opened a gateway for a new generation of viruses, malware, and exploits."
Adobe's Damage Control
Adobe's Brad Arkin apologized to customers in his blog post, saying, "We deeply regret that this incident occurred. We're working diligently internally, as well as with external partners and law enforcement, to address the incident."
Some of the moves Adobe has already taken include resetting customer passwords for those directly affected by the breach. Customers whose user IDs and/or passwords were taken from Adobe's network will get an email notification to change their passwords, and Adobe recommends that any website where customers use the same user ID and password (of course, you're not supposed to do that anyway) needs to get a ID/password refresh as well.
Customers who have had their credit or debit card information taken will be notified as well, though Adobe stresses that decrypted credit or debit card numbers (i.e., immediately exploitable data) are not believed to have been stolen. Adobe is offering customers whose encrypted card information may have been stolen a free one-year membership in a credit monitoring program.
The company will also release a security update on Tuesday Oct. 8 for Adobe Reader and Adobe Acrobat XI for Windows OS.