Source code and 2.9 million accounts raided by attackers in Adobe breach

In a blog post on Thursday, Adobe said that during a security audit sometime around September 17, the company discovered that attackers had accessed Adobe customer IDs, as well as encrypted passwords. In addition to IDs and passwords, Adobe Chief Security Officer, Brad Arkin, said that the attackers also accessed customer names, encrypted credit and debit card numbers, expiration dates and “other information.”

[Espionage campaign targeting Asian supply chains uncovered]

“At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. Were working diligently internally, as well as with external partners and law enforcement, to address the incident,” Arkin wrote.

In all, Adobe says that the breach impacts some 2.9 million customers worldwide, and that they’re in the process of sending out notifications to those who had credit or debit card details compromised. Further, Adobe has alerted the banks processing customer payments, in order for them to help protect accounts upstream.

“If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. We also recommend that you change your passwords on any website where you may have used the same user ID and password,” Arkin advised.

Making matters worse, Adobe also admitted that source code was breached during the incident, sparking fears that criminals who have accessed the information may have used it to develop new attacks. Adobe says they’re not aware of any increased risk to customers because of this incident, and noted that they’ve not seen any Zero-Day exploits targeting their software. However, this doesn’t mean that said Zero-Days don’t exist now due to this breach, nor does it mean that unreported attacks aren’t taking place.

The earliest known date of discovery is September 17, but Adobe hasn’t said how long the attackers have had possession of the stolen source code, nor can they comment on how far it’s spread online. Last week, reporter Brian Krebs, found 40 GB worth of Adobe’s proprietary data on a server used by criminals, but by the time he found it, Adobe was already investigating its theft.

In an advisory to customers, Adobe confirmed that the source code theft impacted Adobe Acrobat, ColdFusion, ColdFusion Builder and “other Adobe products.” As to what those other products are, Adobe didn’t say.

[5 myths of encrypting and tokenizing sensitive data]

CSO reached out to Adobe in order to ascertain the type of encryption employed to protect credit card data. In addition, we asked for clarification to the point that attackers didn’t remove “decrypted credit or debit card numbers from” Adobe systems. We’re they saying such unprotected data exists? Furthermore, we asked for information on how the attackers got in. Specifically, was it via Phishing or was it vulnerabilities in a server or application?

Unfortunately, Adobe would only point to their blog post, and declined to answer any other questions. In a statement the company would only say the investigation was ongoing. CSO will share any new information as it becomes available. In the meantime, Adobe recommends that customers update to the latest supported software versions, and that they download the newest releases when they’re made available on October 8.