Brad Arkin, Adobe’s chief security officer, announced in a blog post Thursday that a sophisticated cyber attack on the company’s network caused the source code for numerous programs to be illegally accessed by hackers, as well as the personal information of millions of Adobe users.
Founded in 1982, the Silicon Valley company is known for an array of products, including the PhotoShop editing software and the PDF, SWF and FLV file formats.
According to Arkin, Adobe believes the attackers pilfered customer names, encrypted credit and debit card numbers, expiration dates, and other information related to customer orders pertaining to roughly 2.9 million Adobe clients.
Arkin said the company does not believe the attackers accessed decrypted information, but stopped short of confirming that plain-text data wasn’t compromised.
“We’re working diligently internally, as well as with external partners and law enforcement, to address the incident,” he said.
He also stated that the theft of customer data and the source code for numerous Adobe products was likely related.
Brian Krebs, a well respected security researcher and former Washington Post reporter, acknowledged that he stumbled upon a 40 GB trove of Adobe source code around one week ago on the same server thought to be used by the hackers behind other recent major compromises. Krebs said that the source code pertained to Adobe’s ColdFusion and Acrobat software, which would suggest that hackers have obtained the blueprints for some of the company’s most widely used products.
Hold Security, a firm that worked in conjunction with Krebs, said that “This breach poses a serious concern to countless businesses and individuals.”
If hackers have been able to access Adobe source code, they could theoretically be able to analyze that information and engineer malware that exploits vulnerabilities and compromises the security of several million users, experts fear.
“Effectively, this breach may have opened a gateway for new generation of viruses, malware, and exploits,” Hold Security said in a statement.
“We are not aware of any zero-day exploits targeting any Adobe products,” the software makers responded. “However, as always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide.”
Speaking to Krebs, Adobe’s Arkin said “We are in the early days of what we expect will be an extremely long and thorough response to this incident.”
“We’re still at the brainstorming phase to come up with ways to provide higher level of assurance for the integrity of our products, and that’s going to be a key part of our response,” he said. “We are looking at malware analysis and exploring the different digital assets we have. Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched.”
Following Adobe’s announcement on Thursday, shares in the company fell 64 cents each but have since rebounded.