Hackers access Adobe’s source code, plus 2.9 million customer accounts

Software giant Adobe announced a major security breach Thursday, in which hackers accessed its software source code plus millions of customers' credit card and login information. Who’s behind the attack and how does it affect Adobe customers?

Nick Ut/AP/File
Credit card decals adorn a window of a wig shop in the Hollywood section of Los Angeles, Sept. 5, 2007.

Adobe is a software company you likely use on a daily basis without even realizing it, running applications like the ubiquitous Flash plugin and Adobe Acrobat (which reads PDFs), to ColdFusion (a web application development tool) and Photoshop. Now this software company is in the spotlight as the latest victim of a major security breach.

Adobe announced Thursday that a hacking group had gained access to 2.9 million Adobe customer accounts, including login and credit card information, as well as the source code to several flagship Adobe products. The company announced in a blog post customers whose accounts were compromised will be prompted to change their password, and it has reached out to credit card companies to alert them of the potential breach.

Adobe was alerted to the attack by cybersecurity journalist Brian Krebs, working with researcher Alex Holden, CISO of Holden Security LLC, who discovered 40 GB of stolen data that included the source codes for several Adobe products, such as Acrobat and ColdFusion, according to a blog post on Krebs’ website. Krebs and Holden alerted Adobe of the hack, and the company confirmed the hackers likely gained access to the source code repository after breaking into Adobe’s credit card transaction network.

Krebs, a former Washington Post security reporter turned independent cybersecurity journalist, says Adobe encrypts credit card information; so a password change will likely be the extent of the effect on 2.9 million people whose customer accounts were accessed. The larger issue is that the hackers were able to access Adobe’s closed source code, which could mean more attacks are on their way.

“If you give somebody the blueprints to the Death Star, it is a lot easier to infiltrate,” he says.

The Death Star in this case is the Adobe software ecosystem, which runs closed-source code that isn’t available to the public. One reason companies use closed-source code is for security: if people can’t see the code, they don’t know how to break it. That is unless, as in this case, the code is illegally accessed. Though Adobe is now aware of a few vulnerabilities in its software, the hackers that had access to the source code could be on the prowl for other weak spots.

This could mean more widespread attacks on Adobe products, which cover everything from opening PDFs through Adobe Reader to designing web apps through Adobe ColdFusion. So what is the hackers' motivation? Krebs says it could range from gaining deeper access for more targeted attacks, as hackers better understand the framework of Adobe security, or even to sell source-code secrets. An Adobe source code vulnerability could go for “tens of thousands” of dollars, he estimates. And this is only the tip of the iceberg.

"It wasn’t just some opportunistic [hacker]," he says about the attacks. "They’ve been very methodical about the targets."

He points out that the hackers behind the attack were also behind recent data breaches at LexisNexis (which holds a huge database of legal and public records), Dun & Bradstreet (a data aggregator), and Kroll Background America Inc. (which gathers information on employment, drug, and health screening). Their motivation, he explains in a previous blog post, for those attacks was likely to gain information on knowledge-based authentication, which could then be used to apply for credit or transfer money. So if a banker asks a hacker for a social security number or employment history, they would be able to answer using information gleaned from these companies’ servers.

This news comes to light amid a growing number on cyber attacks on companies from Apple to US-run natural gas pipeline operators, to the New York Times, and motivations can be anything from political statements to identity theft. Krebs says he isn’t sure whether the rise in attacks is due to an increase in attacks or increase in coverage of attacks, but he says it is something that every business needs to look out for.

“Any organization that says they aren’t getting attacked likely [isn't] looking hard enough,” he says.

Though Adobe has its security work cut out for them, what could the average Adobe customer do to protect against a future hack? Krebs says switching up software, like using Foxit or Sumatra to read PDF files is a good idea. Another Adobe blog post suggests updating all security measures on Adobe software.

Ultimately, Krebs says it comes down to whether companies are developing their cyber security as fast as hackers are finding cyber vulnerabilities.

“I only expect these acts to grow,” he says. “The question is: can companies up their game?"

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Hackers access Adobe’s source code, plus 2.9 million customer accounts
Read this article in
QR Code to Subscription page
Start your subscription today