Adobe Source Code, Customer Information Stolen

Adobe has suffered a massive security breach, with cyber-attackers stealing information related to 2.9 million customers.

That stolen information includes customer names, encrypted credit- and debit-card numbers, and data related to customer orders. Adobe insists that the attackers didn’t abscond with any decrypted credit- or debit-card numbers, and plans on sending warning emails to customers whose information was somehow involved in the incident (that’s on top of forcing a password reset on affected accounts). Law enforcement is apparently assisting the company in the investigation.

“Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available,” read a note on Adobe’s corporate blog. “We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.”

The attackers also gained illegal access to the source code of various Adobe platforms, including Adobe Acrobat, ColdFusion, and ColdFusion Builder. Adobe claims it’s not aware of any zero-day exploits present in that code, which an attacker could use to spark all sorts of havoc with Adobe customers. Brian Krebs, who runs the KrebsonSecurity blog, found a 40GB “trove” of Adobe source code parked on a server “used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll.” It’s assumed—although unconfirmed at this time—that the attackers targeting the source code were the same ones who siphoned Adobe’s customer information.

Krebs hinted that Adobe is still trying to figure out the extent of the attackers’ access, and that some of the stolen code may have belonged to unreleased Adobe components. The attackers may have used a vulnerability in an outdated version of ColdFusion to access Adobe’s networks, although the company hasn’t yet released a full postmortem on the attack.

Earlier this year, Adobe began focusing the bulk of its software-development efforts on its Creative Cloud offering, as the company sought to profit from the tech industry’s general movement toward the cloud. In an interview with Mashable, Adobe CEO Shantanu Narayen discussed some of the ways his company would benefit from migrating to Creative Cloud’s SaaS model: better piracy controls, less money spent on product packaging (and shipping, presumably), and speedier upgrade cycles. “Companies that wish to thrive in this next tech era need to embrace or perish,” he told the publication. “We’re not only embracing, we’re leading.”

It remains to be seen whether Adobe’s massive security breach hinders its attempts to get more customers to join its cloud.


Image: Maksim Kabakou/