Hello again friends, welcome back to the show that never ends: another massive corporate data raid, millions more user accounts and login credentials and payment details potentially compromised, and top secret source code on the loose.
Welcome to the club, Adobe! You probably know Bank of America, Heartland Payment Systems, Epsilon, Sony, Valve, the U.S. government, the Canadian government, PayPal, the Iranian government, Foxconn, Farmers Insurance, MasterCard and all the rest whose names I haven’t memorized yet. Just have a seat on the floor, because we’re out of chairs.
We’re early days into this latest hacker debacle — Adobe just confirmed the breach on Wednesday — but if you want the CliffsNotes version of what happened and where things stand, here’s the concise explainer:
Hackers broke into Adobe Systems, Inc. and accessed source code and user data.
…discovered a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll. The hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat.
If these guys knew last week, why didn’t they let us know then?
Presumably to give Adobe a better shot at nabbing the ne’er-do-wells, though it sounds like Adobe was aware of the problem since mid-September. Krebs says he sent Adobe screens of the pilfered source code last week, and that Adobe responded to him on October 3 by confirming it had been investigating a possible network breach since September 17. When Krebs spoke with Adobe about the breach specifics, he says Adobe told him it believes the source code was accessed back in mid-August.
What sort of user data was compromised?
According to Adobe, the hackers accessed the credit card information of around three million customers, as well as the login information of an unknown number of customers.
Any products we know about specifically?
Krebs says the hackers grabbed source code for “an as-yet undetermined number of software titles, including [Adobe's] ColdFusion Web application platform, and possibly its Acrobat family of products.” Adobe confirms this, listing the products illicitly accessed as “Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products.”
Did anyone goof with the source code?
This matters more if you’re on the development side, but Krebs says Adobe told him that the company “has undertaken a rigorous review of the ColdFusion code shipped since the code archive was compromised,” and that it’s confident code shipped since the incident occurred is solid.
As for the rest of the source code potentially compromised, Adobe says its investigation is ongoing.
I have an Adobe account. Am I at risk?
In a security announcement issued on Thursday, Adobe writes that “the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.” It says that information — specifically user account passwords and credit card details — was encrypted, and that it believes the attackers didn’t remove “decrypted credit or debit card numbers” from its systems.
In other words, yes, you’re at risk: believing something’s the case isn’t the same as knowing. But that risk, according to Adobe, is very low.
Do I need to do anything?
Yes. Even were Adobe claiming it knew the information extracted was innocuous, you need to take basic precautions. Adobe concurs in its security announcement, writing that it’s dispatching emails to anyone whose account was potentially compromised. If you receive such an email, follow Adobe’s instructions to reset your password. And as Adobe notes, if you’ve used the same user ID and password with any other website or service, you’ll want to change the password there as well.
Anything else Adobe’s doing to rectify the problem?
The company says it’s giving customers whose credit/debit card info might have been compromised “the option of enrolling in a one-year complimentary credit monitoring membership where available.” The company says it’s also notified any banks that process Adobe-related customer payments, and that it’s pulled in federal law enforcement to help with its investigation.