Attackers accessed customer IDs, encrypted passwords as well as source code for a number of Adobe products, Adobe chief security officer Brad Arkin announced.
Arkin said Adobe is working with law enforcement on the breach in which attackers accessed source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and possibly other Adobe products.
“Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident,” Arkin said in a statement.
Arkin called the attacks on the Adobe network “sophisticated,” and that information on 2.9 million customers was removed from the company’s machines, including customer names, encrypted credit and debit card numbers, expiration dates and other information used in customer orders.
“At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems,” Arkin said. “We deeply regret that this incident occurred.”
Arkin said Adobe is not aware of any zero-day exploits used in the attack, but encouraged customers to run only supported versions of Adobe products and ensure patch levels are current. He said users should also follow guidance available in the Acrobat Enterprise Toolkit and ColdFusion Lockdown Guide.
“These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products,’ Arkin said.
Adobe said it is resetting customer passwords to prevent further access to customer accounts. Impacted customers will be notified via email with information on how to change their passwords, Arkin said.
He added that Adobe is also working on notifying customers whose payment card information was accessed. Notification letters are going out with additional information related to protecting personal information. Adobe said it is offering customers one year of complimentary credit monitoring.
Arkin credited security reporter Brian Krebs and Alex Holden of Hold Security LLC for alerting them to a potential issue and helping with response. Krebs reported today he became aware of the source code leak one week ago when he discovered 40 GB of Adobe data on the same server used by the criminals involved in the LexisNexis, Dun & Bradstreet and Kroll breaches earlier this year.
“The hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat,” Krebs wrote today.
Krebs said Adobe believes attackers cracked a source code repository in mid-August after accessing part of Adobe’s network that handles credit card transactions.
Krebs also has a screenshot of Acrobat code from the repository including code for as of yet unreleased product features.
“We’re still at the brainstorming phase to come up with ways to provide higher level of assurance for the integrity of our products, and that’s going to be a key part of our response,” Arkin told Krebs. “We are looking at malware analysis and exploring the different digital assets we have. Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched.”