Adobe has confirmed that one of its servers has been hacked. In a statement that appeared on an Adobe blog by Adobe security chief Brad Arkin, the company admits that the attackers removed information on 2.9 million customers, including names, encrypted credit and debit card numbers, card expiration dates, and information relating to customer orders.
Personal Data Compromised
However, the statement says, Adobe doesn’t believe that the hackers were able to remove decrypted credit and debit cards from the system. Even still, ask any of their customers and it’s a sure bet they don’t want that information -- decrypted or not -- out in the public domain.
And if that wasn’t bad enough, Adobe has also admitted that hackers have also accessed the source code of at least 3 Adobe products, including Adobe Acrobat, ColdFusion, ColdFusion Builder, as well as other unnamed Adobe products.
Adobe hasn’t said that the two incidents are related, but the blog post announcing the source code hack is dated October 2, a day before the posting about the customer information hack. While it is likely that the two are related and that Adobe discovered the second attack while investigating the first one, it is by no means certain.
News of the source code hack was revealed by Brian Krebs on the KrebsonSecurity website, who along with the IT security company Hold Security, first discovered the problem. In a blog post, Krebs says that evidence of the hack had been discovered about a week ago:
KrebsOnSecurity first became aware of the source code leak roughly one week ago, when this author — working in conjunction with fellow researcher Alex Holden, CISO of Hold Security LLC — discovered a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll.
The implications of this attack are enormous and could create continuing problems for Adobe customers moving into the future, even if Arkin says that “…We are not aware of any zero-day exploits targeting any Adobe products…”
But isn’t that exactly the problem with the theft of source code? While Adobe may not be aware of zero-day exploits, if the hackers have been clever enough to get in in the first place, then what’s to stop them from finding new holes in all that code. Nothing at all really, especially given Adobe Acrobat’s reputation for flawed security.
On top of this, while Adobe is understandably playing it down and reassuring its customers that they can bypass any potential nastiness by taking a few simple security precautions, Hold Security is not so sure that it will be as simple as that:
…While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data. Effectively, this breach may have opened a gateway for new generation of viruses, malware, and exploits.
On a wider level, it also puts the question of cloud security and data protection back on the table. Anyone that uses Adobe products will remember being forced to move to the cloud.
While there are cloud providers who will argue that you can isolate cloud infrastructure from attacks like this, it’s the bad publicity that’s going to hurt regardless of how safe the cloud can be.
Finally, for Adobe, this is just one mess and, unfortunately, not the first time its security has been compromised, with another internal server hack almost exactly a year ago. To paraphrase Oscar Wilde: To be hacked once may be regarded as a misfortune, to be hacked twice looks like carelessness.