Adobe hacked: 2.9 million customer names, encrypted credit and debit card, and source code compromised

[Matsuda]

Software firm Adobe today revealed its network was compromised. Information that was leaked included 2.9 million customer names, encrypted credit or debit card numbers, expiration dates, and “other information relating to customer orders.”

Adobe wouldn’t say when the breach occurred, and only mentioned that its security team discovered sophisticated attacks on its network “very recently.” Source code for “numerous Adobe products” was also accessed.

Adobe says it has taken the following steps:

• As a precaution, the company is resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification with information on how to change your password. Adobe also recommends that you change your passwords on any website where you may have used the same user ID and password.
  
• The company is in the process of notifying customers whose credit or debit card information it believes to be involved in the incident. If your information was involved, you will receive a notification letter with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.
  
• It has already notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.
  
• It has contacted federal law enforcement and are assisting in their investigation.
  
  Adobe says its investigation so far has found that the attackers accessed Adobe customer IDs and encrypted passwords on its systems. It does not currently believe they removed decrypted credit or debit card numbers and that it does not think the illegal access of its source code could provide any specific increased risk to its customers.

The company also offered up the following apology:

We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident.

We value the trust of our customers. We will work aggressively to prevent these types of events from occurring in the future. Again, we deeply regret any inconvenience this may cause you.

Adobe is continuing its investigation. We’ll let you know if anything changes.

Source

[DKT27]

Edited the title just a little. :)

I blame it on them moving to Creative Cloud. :P

[oliverjia]

right on. they paid for their stupidity.

I blame it on them moving to Creative Cloud. :P

[mastershake]

wow just wow. sadly payback is a bitch. and no one liked the new cloud..

[DKT27]

Adobe source code and customer data stolen in sustained network hack

Theft could give hackers a new way to exploit widely used Acrobat, ColdFusion apps.

Adobe said it suffered a sustained compromise of its corporate network, allowing hackers to illegally access source code for several of its widely used software applications as well as password data and other sensitive information belonging to almost three million customers.

Adobe dropped the bombshell revelation shortly after KrebsonSecurity's Brian Krebs reported that the hack began sometime in mid August and was carried out by the same criminals who breached LexisNexis and other major US data brokers. In the course of investigating the earlier intrusions, Krebs said he happened upon a 40 gigabyte trove of source code, much of it belonging to Adobe. Adobe confirmed its ColdFusion Web application software and its Acrobat document program were among those that were stolen.

A new generation of exploits

The Acrobat software family, which is intimately linked to the nearly ubiquitous Reader application, has long been a favorite target of malware developers looking for ways to sneak their malicious wares onto people's computers. The specter of hackers having full access to the raw source code of those applications is troubling, because it could make it easier to identify bugs that can be surreptitiously exploited in drive-by website attacks.

"This breach poses a serious concern to countless businesses and individuals," a statement issued by Holder Security, which assisted in Krebs's investigation, warned. "While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data. Effectively, this breach may have opened a gateway for a new generation of viruses, malware, and exploits."

Adobe Chief Security Officer Brad Arkin said officials aren't aware of any unpatched vulnerabilities being targeted in any of the company's products. "However, as always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice of the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide," he added. He thanked Krebs and Alex Holden of Hold Security for their help in responding to the intrusion.

Krebs said Adobe engineers are still in the process of checking on the integrity of its source code. The investigation includes looking for "anomalous check-in activity on its code repositories," which could indicate the intruders were able to introduce backdoors or security bugs or otherwise tamper with the underlying applications.

"We are looking at malware analysis and exploring the different digital assets we have," Arkin told Krebs. "Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched."

In an advisory, Arkin said attackers removed information for 2.9 million customers from company computers. That data included customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to orders. Attackers also accessed customer IDs and "encrypted" (by which Adobe probably means cryptographically hashed) passwords. Customer passwords will be reset, and Arkin recommended customers change passwords on other sites if they matched those used in their Adobe accounts. Arkin said company employees have notified banks that process customer payments so they can work with payment card companies and card-issuing banks to protect customer accounts.

Krebs said that one of the related intrusions he uncovered—into the network of the National White Collar Crime Center—appears to have been initiated by exploiting weaknesses in Adobe's ColdFusion product. While Adobe plugged all known security holes in the product a few months ago, many networks run outdated versions that expose the users to serious hacks. "This indeed may have also been the vector that attackers used to infiltrate Adobe's own networks," Krebs said.

View: Original Article

[truemate]

Thank God i have Pirated Photoshop(and portable ones too) or my data would have been there with the hackers! -_-

[ramiz0]

Thank God i have Pirated Photoshop(and portable ones too) or my data would have been there with the hackers! -_-

That,s right :pirate:

Software firm Adobe today revealed its network was compromised. Information that was leaked included 2.9 million customer names, encrypted credit or debit card numbers, expiration dates, and “other information relating to customer orders.”

Adobe wouldn’t say when the breach occurred, and only mentioned that its security team discovered sophisticated attacks on its network “very recently.” Source code for “numerous Adobe products” was also accessed.

Source

That,s Really Bad

[Mandy]

Very bad!

You would expect tight security especially when such an organization shifts to subscription with cloud and leaving some people saddle with old versions if you are not making money from their software as part of your work to catch up with their subscription.

[jalaffa]

I see...

[oliverjia]

I got the same email early this morning. Damn Adobe for their carelessness and stupidity.

I see...

[anuseems]

Thanks nice share.