Adobe loses 2.9 mil customer records, source code
by Byron Acohido
Adobe has become the latest big-name data breach victim.
The company that mainstreamed desktop
publishing admitted in a statement that hackers gained unauthorized
access to 2.9 million customer accounts and stole part of the source
code for at least two major consumer-facing products.
"The Adobe breach shows that everyone is
fair game," says Eduard Goodman, chief privacy officer at risk
management firm IDentity Theft 911. "The hackers went in and stole
private consumer information in the form of card information, even if it
was encrypted, and they stole intellectual property. Those are two
valuable assets. "
This news was flushed out by Brian Krebs, author of the cybersecurity blog, krebsonsecurity.com.
Krebs last week disclosed similar breaches at
data aggregator LexisNexis, Kroll Background America and Dunn &
Bradstreet. These scoops are the result of analysis Krebs has been doing
with Alex Holden, CISO of Hold Security LLC, of a massive trove of data
found on a server used by cybercriminals.
Krebs and Holden found that the crooks'
stored what appeared to be source code for Adobe Acrobat and Adobe
ColdFusion, a web app development tool.
This could rank as one of the more
devastating attacks against a tech giant. Adobe touches every personal
computing device that uses its Acrobat document reader to open PDF
files, and every app developer using Adobe ColdFusion to design the next
hit web app.
It's a safe bet that the bad guys are
hard at work devising novel ways to corrupt media and services that spin
out of those widely used Adobe products. Their likely end game:
innovate new ways to take control of computing devices and sneak deep
inside corporate networks.
Aaron Titus, the chief privacy officer
at Identity Finder, credits Adobe for at least encrypting customers'
information, unlike Sony, which infamously lost unencrypted
payment card data for 77 million PlayStation Network and 25 million
Sony Online Entertainment subscribers to the Anonymous hacking
collective in 2011.
"The far more worrying story is that
hackers apparently have obtained 40 gigabytes of Adobe source code,
which may include Adobe's most popular products, Adobe Acrobat and
ColdFusion," says Titus. "Security professionals in organizations around
the world should be on high alert for an increase in Acrobat-related
attacks as hackers analyze the code for possible zero-day exploits."
Adobe has become a prime target of
hackers for the past two years. Both good guy and bad guy researchers
have been uncovering a string of zero-day security holes, forcing the
company to issue patches.
"These are valuable assets," Goodman
says. "It just goes to show that it doesn't matter who you are. Everyone
is targeted. Hackers are always going to find the weak link."
In a blog post, Brad Arkin, chief
security officer of Adobe, said: "Very recently, Adobe's security team
discovered sophisticated attacks on our network, involving the illegal
access of customer information as well as source code for numerous Adobe
products. We believe these attacks may be related.
"Our investigation currently indicates
that the attackers accessed Adobe customer IDs and encrypted passwords
on our systems. We also believe the attackers removed from our systems
certain information relating to 2.9 million Adobe customers, including
customer names, encrypted credit or debit card numbers, expiration
dates, and other information relating to customer orders. At this time,
we do not believe the attackers removed decrypted credit or debit card
numbers from our systems. We deeply regret that this incident occurred.
We're working diligently internally, as well as with external partners
and law enforcement, to address the incident."
No comments:
Post a Comment
Please leave a comment-- or suggestions, particularly of topics and places you'd like to see covered