Hackers broke into Adobe Systems’ internal network on Thursday, stealing personal information on 2.9 million customers and the source code for several of Adobe’s most popular products.
“Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates and other information relating to customer orders,” Brad Arkin, Adobe’s Chief Security Officer, wrote in a Thursday blog post.
“At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems,” he noted.
Adobe is currently in the process of resetting the passwords for all accounts affected by the hackers. The company is also taking steps to notify customers whose credit or debit card information was hacked, including offering the affected customers a complimentary year-long membership in a credit-monitoring service.
At the same time, Adobe announced that it had contacted the banks in charge of processing its customer payments to help protect customers’ identities. Federal law enforcement agencies have also been contacted to assist in the investigation.
Before Adobe made its announcement, Brian Krebs of KrebsOnSecurity reported several details about the hack, linking the attack to a group of cyber criminals who have also hacked into data aggregators LexisNexis, Kroll and Dunn & Bradstreet. While Adobe did not announce which programs the hackers had illegally accessed, in the same post, Krebs speculates that they may have obtained the source code for Adobe Acrobat and ColdFusion.
Adobe insists that the attack, which has appeared to take place in August, will have no bearing on the security of its products, despite the hackers obtaining the source code for Acrobat and ColdFusion. Private security firm Hold Security seems to disagree, stating that Acrobat and ColdFusion's source code could possibly be used maliciously.
"Adobe products are installed on most end-user devices and used on many corporate and government servers around the world," Hold Security said in a blog post. "While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data. Effectively, this breach may have opened a gateway for [a] new generation of viruses, malware, and exploits."