Adobe Addressing Massive Data Breach, Source Code Leak

Adobe Systems has acknowledged a massive data breach of its systems, resulting in the exposure of personal data on millions of its customers as well as the precious source code that serves as the foundation to its Adobe Acrobat, ColdFusion and other products.

Adobe Thursday said attackers stole the personal data of 2.9 million people. The information included customer names, encrypted credit and debit card numbers, expiration dates and other information related to customer orders.

"Very recently, Adobe's security team discovered sophisticated attacks on our network," the company said in a statement. "We value the trust of our customers. We will work aggressively to prevent these types of events from occurring in the future."

[Related: Verizon Analysis: Top 10 Causes Behind Data Breaches ]

The company said it is resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. Affected customers will receive an email notification with information on how to change the Adobe password. Adobe said it also is notifying customers whose credit or debit card information was exposed in the breach. Banks and credit card processors have been notified of the incident, Adobe said.

Meanwhile, Adobe is investigating the illegal access to the sensitive servers that contained the source code for its Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products. Few details were released, but the company said that based on its findings it is not aware of any increased risk to customers as a result of the source code leak. Security experts told CRN that source code leaks can be used by hackers to discover vulnerabilities that can be exploited in widely used Adobe products.

"We are not aware of any zero-day exploits targeting any Adobe products," Adobe said. "However, as always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide."

The guide and documentation provide security best practices for installing and using the platforms as well as implementing system updates and information for developers to build secure ColdFusion applications. Adobe credited noted security blogger Brian Krebs and Alex Holden, chief information security officer of Hold Security, for their role in helping investigate the incident.

Adobe told Krebs that investigators believe that hackers accessed a source code repository sometime in mid-August 2013. Adobe said it was looking for anomalous check-in activity on its code repositories and for other things that might seem out of place before it could understand the scope of the source code exposure.

Access to the source code is potentially the most damaging part of the Adobe breach, security experts told CRN. Cybercriminals can sell the source code to more sophisticated vulnerability researchers and malware writers to create zero-day exploits that can be used against the software, said George Tubin, a senior security strategist at Trusteer, an IBM company.

"Access to Adobe source code is a huge deal," Tubin said. "Attackers get in by exploiting vulnerabilities in popular applications and Adobe applications are so widely used; it's on almost everybody's desktop."

NEXT: Companies Struggle To Detect, Contain Attacks, Say Experts

Other security experts told CRN that the breach is another example of how organizations of all types struggle to address security weaknesses and maintain adequate defenses.

Businesses struggle with security on a daily basis, said Dave Lewis, a noted security expert who serves as senior security advocate at Cambridge, Mass.-based cloud platform provider Akamai Technologies.

"We don't do the fundamentals well," Lewis said. "All companies say they have to innovate, but my problem is that they haven't built a strong foundation in order to facilitate innovation."

The scope of the Adobe breach is still likely being understood by the incident response team, said Rob Kraus, director of research on the security engineering research team at managed security services provider Solutionary. Kraus said it's too soon to tell how attackers gained access, but companies often fail to monitor both inbound and outbound communication to prevent data leakage.

"Right now they say they're following the breadcrumbs and how big they are will help them connect the dots of how the person got in and how extensive the damage is," Kraus said. "Most organizations don't have the visibility inside their network to validate what the actual initial point of entry was for the compromise, and that is a serious problem."

PUBLISHED OCT. 4, 2013