Adobe Systems Inc (ADBE.O) said on Thursday that hackers had stolen source code to some of its most popular software and data about millions of its customers.
Security experts worry about the theft of source code because close review of the programs can lead to the discovery of new flaws that can be used to launch hard-to-detect attacks against all users of that software.
The hackers took source code for Adobe Acrobat, which is used to create electronic documents in the PDF format, as well as ColdFusion and ColdFusion Builder, used to create Internet applications, Adobe said.
Adobe Chief Security Officer Brad Arkin said the company had been investigating the breach since its discovery two weeks ago and that it had no evidence of any attacks based on the theft. “Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident,” Arkin wrote on an Adobe blog.
Arkin said hackers also took information on 2.9 million Adobe customers, including their names, user identification numbers and encrypted passwords and payment card numbers. He said the attacks may be related.
The company said it was resetting passwords for affected customers worldwide and warning people to change any passwords reused at other sites. The U.S. Department of Homeland Security’s computer incident response team on Thursday warned that Adobe customers should be on the alert for fraud.
Adobe said it was working with banks and federal law enforcement to mitigate intrusions on customer accounts and to pursue those responsible.
The company said it had been helped by cybersecurity journalist Brian Krebs and security expert Alex Holden, who found a cache of Adobe code while probing attacks at three major U.S. data providers.
Krebs wrote on his blog, KrebsonSecurity.com, on Thursday that the two men discovered the code while investigating breaches at Dun & Bradstreet Corp (DNB.N), Altegrity Inc’s AGRTY.UL Kroll Background America Inc and Reed Elsevier’s (REL.L)(ELSN.AS) LexisNexis Inc.
He said the Adobe code was on a server that he believed was used by those who hacked into LexisNexis and the others. The hackers offered Social Security numbers, credit report information and other highly sensitive data for sale over the Internet and had access inside the companies’ websites through hacked computers, Krebs said.
In a 10-Q filing on Thursday, Adobe referred to the recent attacks in one paragraph. “We do not believe that the attacks will have a material adverse impact on our business or financial results,” it said. “It is possible, nevertheless, that this incident could have various adverse effects.” (Reporting by Joseph Menn and Jim Finkle; Editing by Eric Walsh and Carol Bishopric)
… Adobe must be the one company in the world to have a worse track record at security than Microsoft, Oracle or Mozilla. They have ignored industry best practices and been a thorn in the side of the rest of the industry for years while being oblivious to the damage their customers have suffered from their shoddy practices.
This is the same company that wants you to rely on their security as the only way to their products now that they only rent a cloud based versions of Acrobat Suite. Incidents like this are inevitable and people need to learn that their is nothing magical about the “cloud”. Companies that have cloud dependencies for the use of their products necessarily expose all of their customers when they get cracked. …
The evolutionary paradigm applies to the Internet, a war of balance between security and privacy, ease of use and protection from abuse still drives technologies in new directions.