With the focus on Washington D.C. over the last few days, I guess it kind of makes sense that one of the premier software companies in the world would quietly announce that they have been hacked over the last few months. In August, it appears that Adobe, Inc. lost control over the source code for, at least, their Acrobat and ColdFusion product lines. Then in September - specifically between the 11th and 17th - the personal information for 2.9 million individuals was stolen from their servers.
The personal data which the hackers stole, according to ComputerWorld includes:
So far, Adobe's investigation has revealed that attackers managed to access Adobe customer IDs and encrypted passwords, as well as obtain information on 2.9 million customers, including names, encrypted credit or debit card numbers with their expiration dates, and other customer order details.
At this point, no one thinks that any of the credit card data which was stolen was decrypted. However, it is also important to note here that the full scope of the theft doesn't seem to be completely understood. The hackers obviously had a long time to access the data on the servers. According to Krebs, Adobe Chief Security Officer Brad Arkin, told them:
“We are looking at malware analysis and exploring the different digital assets we have. Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched.”
However, according to ComputerWorld:
Adobe could not confirm whether the popular Adobe Reader product was also affected, or if the security breach also resulted in the theft of encryption keys or code-signing certificates.
If you have purchased software from Adobe
For those of you who have purchased Adobe applications for your home or office, start looking for emails from the company.
And do not ignore them, and if you work for a company that has purchased multiple licenses for Adobe software (for example for Acrobat) forward the information you receive to your payables and legal departments so they can be informed and take action. Already, Adobe has changed the passwords for the accounts which they know have been stolen. In addition Adobe will be providing those users whose data was stolen with
optional 1 year of free credit monitoring services.
Adobe's press release states that they are conducting the following actions immediately:
- As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. We also recommend that you change your passwords on any website where you may have used the same user ID and password.
- We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.
- We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.
- We have contacted federal law enforcement and are assisting in their investigation.[Authors note: with the government shut down, I wonder how many law enforcement resources are available to work on this issue]
So please keep a wary eye out for anything suspicious on your credit card statements if you have purchased software from Adobe.
If you use Adobe software
Currently, Adobe doesn't know exactly how much of their code has been stolen. It is more than a little disconcerting that one of the stolen titles they do acknowledge,
ColdFusion (a rapid web application development platform), had an update released
after the source code theft. Adobe's Arkin
seems confident that the ColdFusion code has "maintained its integrity".
I would be remiss if I did not mention that it was an investigation by Krebs into a series of hacks into LexisNexis, Dun & Bradstreet and Kroll Background America, which led Krebs to the discovery of the ColdFusion source code. Those hacks, which supposedly took place over three to six months allowed the thieves to access social security numbers, birth records, credit and background reports on millions of Americans. In addition to the three companies mentioned, Krebs was investigating a similar ColdFusion based hack which compromised the National White Collar Crime Center:
a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.
Krebs believes that the same group that stole the Adobe code is responsible for the data thefts of the companies mentioned above. Krebs and Adobe have also announced that the source code for Acrobat and ColdFusion Builder has been found on non-Adobe servers.
While most casual computer users may not recognize Adobe's ColdFusion product. Many of us know and use Adobe Acrobat or it's companion product the Acrobat Reader. Adobe Acrobat is used to generate and modify the ubiquitous .pdf files found on the internet. The Acrobat Reader is the tool we use to read those .pdf files. Next Tuesday (October 8) Adobe will be releasing updates to the Windows versions of both of these products. Krebs describes these updates as "critical security updates".
Why this is important
Hold Security, the company that worked with Krebs to shine some light on this issue, says it best:
This breach poses a serious concern to countless businesses and individuals. Adobe products are installed on most end-user devices and used on many corporate and government servers around the world. While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data. Effectively, this breach may have opened a gateway for new generation of viruses, malware, and exploits.