"Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems." These are the words of Brad Arkin, Chief Security Officer at Adobe as he reveals that one of the biggest names in the software business has fallen victim to what can only be described as a massive security breach: passwords and credit card data for nearly three million customers, source code for Adobe products - folks this looks like it was Xmas come early for the hackers.
Adobe has now confirmed that Adobe Acrobat, ColdFusion and ColdFusion Builder were amongst those hit, and 'other products' were also involved although it has yet to state which for some reason. This in itself is very big news, and very unusual as far as security breaches go. We are far more used to hearing of login and password databases being compromised, credit card data stolen etc. Things with an obvious and quick route turning a profit for the cyber criminals. However, stealing the source code for such high profile and widely-used software is something else. Now, it could be that the hackers just stumbled across the code during a successful breach of security systems and 'got lucky' in finding it when customer data was the real target. Or the reverse could be true and it could be that the hackers were after the source code primarily and just grabbed whatever collateral was laying around and accessible while they were at it. Whatever the case, and we will probably never know, the fact of the matter is that with access to the full source like this, skilled and malicious cyber criminals will be able to examine the code for vulnerabilities in a way that they wouldn't be able to otherwise. Given the relatively poor track record that Adobe has when it comes to vulnerabilities, I wouldn't be at all surprised if some new zero-day exploits emerge in the coming weeks and months.
Brad Arkin has stated that relevant customer passwords are being reset, and those impacted will get an email notification forthwith. "We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident" Arkin continues "If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you." Adobe is also offering customers whose credit or debit card information has been accessed the option of enrolling in a one-year complimentary credit monitoring membership where available. The company has also notified the banks processing customer payments for Adobe and, of course, federal law enforcement.