Adobe began warning 2.9 million customers Thursday that their Adobe user ID, as well as passwords and credit card numbers — stored in encrypted format — were stolen in a series of “sophisticated attacks” that appear to date from August 2013, if not earlier.
Adobe’s breach warning to customers was preceded by a Wednesday blog post, written by Adobe chief security officer Brad Arkin, revealing that Adobe is investigating the illegal access of source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products.
What are the precise information security risks associated with the double-barreled theft of both source code and customer information? Here are seven facts:
1. Adobe Suspects One Gang Behind The Breaches
Just what did the Adobe attackers steal? “Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems,” said Adobe’s Arkin in the Thursday security announcement. “We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.”
[ Are free, easy-to-use sites fostering a lazy approach to online security? Read WordPress Attacks: Time To Wake Up. ]
Adobe suspects — but hasn’t yet confirmed — that whoever stole the customer data also stole the source code, and the company’s investigators don’t currently think that attackers accessed decrypted versions of credit or debit card numbers. “We deeply regret that this incident occurred,” Arkin said. “We’re working diligently internally, as well as with external partners and law enforcement, to address the incident.”
2. Breach Dates From August 2013 — Or Earlier
The breach was discovered one week ago, not by Adobe, but rather by security researchers Brian Krebs and Hold Security CISO Alex Holden. “[We] discovered a massive 40-GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun Bradstreet and Kroll,” Krebs said in a Thursday blog post. “The hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat.”
According to Krebs, Adobe has been investigating “a potentially broad-ranging breach into its networks” since Sept. 17, 2013. In a related blog post, Hold Security’s Holden said, “It appears that the breach of Adobe’s data occurred in early August of this year, but it is possible that the breach was ongoing earlier.”
3. Customers Dismiss Adobe Email Notification As Spam
Adobe said it’s reset all affected customers’ passwords and warned customers who reused the same password on other sites (security tip: never, ever reuse passwords) to reset it there as well. Adobe has also shared information with relevant banks about stolen credit and debit card numbers, and Arkin said the company is also offering customers whose credit or debit card information was involved the option of enrolling in a one-year complimentary credit monitoring membership, where available.
Adobe customers have reported receiving emailed notifications about the breach, warning them to “monitor your account for incidents of fraud and identity theft, including regularly reviewing your account statements and monitoring credit reports.” But two different customers who received that email notification — sent late Thursday, Pacific Time — separately told InformationWeek that they’d initially dismissed the “important customer security alert” as spam.