Feature
Adobe has confirmed that one of its servers has been hacked. In a statement that appeared on an Adobe blog by Adobe security chief Brad Arkin, the company admits that the attackers removed information on 2.9 million customers, including names, encrypted credit and debit card numbers, card expiration dates, and information relating to customer orders.
Personal Data Compromised
However, the statement says, Adobe doesn’t believe that the hackers were able to remove decrypted credit and debit cards from the system. Even still, ask any of their customers and it’s a sure bet they don’t want that information -- decrypted or not -- out in the public domain.
And if that wasn’t bad enough, Adobe has also admitted that hackers have also accessed the source code of at least 3 Adobe products, including Adobe Acrobat, ColdFusion, ColdFusion Builder, as well as other unnamed Adobe products.
Adobe hasn’t said that the two incidents are related, but the blog post announcing the source code hack is dated October 2, a day before the posting about the customer information hack. While it is likely that the two are related and that Adobe discovered the second attack while investigating the first one, it is by no means certain.
News of the source code hack was revealed by Brian Krebs on the KrebsonSecurity website, who along with the IT security company Hold Security, first discovered the problem. In a blog post, Krebs says that evidence of the hack had been discovered about a week ago:
KrebsOnSecurity first became aware of the source code leak roughly one week ago, when this author — working in conjunction with fellow researcher Alex Holden, CISO of Hold Security LLC — discovered a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll.
Security Implications
The implications of this attack are enormous and could create continuing problems for Adobe customers moving into the future, even if Arkin says that “…We are not aware of any zero-day exploits targeting any Adobe products…”
Learning Opportunities
Webinar
Jun
6
The Future of Social Media: Emerging Trends and How to Stay Ahead of the Curve
The impact of emerging technologies like AI on social media
Webinar
Jun
7
The Building Blocks of Personalization
This webinar will explore how personalization can create powerful ecommerce shopping experience.
Webinar
Jun
8
Attracting—and Keeping—Your High-Net-Worth Investors
Join PwC to dissect their recent survey findings on a specific customer subset — high-net-worth investors.
Webinar
Jun
13
The Future of Contact Centers with AI at the Helm
Learn how to balance human intuition and interaction with the potential uses of AI to create delightful and lasting CX
Webinar
Jun
13
Learn How to Deliver Dynamic Video Experiences at Scale
Learn how to convert existing assets into video experiences in near real-time.
Webinar
Jun
20
3 Steps to Unlock Your Customer Data and Drive Revenue
Discover how Twilio Segment’s #1 Customer Data Platform helps implement data-driven strategies.
But isn’t that exactly the problem with the theft of source code? While Adobe may not be aware of zero-day exploits, if the hackers have been clever enough to get in in the first place, then what’s to stop them from finding new holes in all that code. Nothing at all really, especially given Adobe Acrobat’s reputation for flawed security.
On top of this, while Adobe is understandably playing it down and reassuring its customers that they can bypass any potential nastiness by taking a few simple security precautions, Hold Security is not so sure that it will be as simple as that:
…While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data.Effectively, this breach may have opened a gateway for new generation of viruses, malware, and exploits.
On a wider level, it also puts the question of cloud security and data protection back on the table. Anyone that uses Adobe products will remember being forced to move to the cloud.
While there are cloud providers who will argue that you can isolate cloud infrastructure from attacks like this, it’s the bad publicity that’s going to hurt regardless of how safe the cloud can be.
Finally, for Adobe, this is just one mess and, unfortunately, not the first time its security has been compromised, with another internal server hack almost exactly a year ago. To paraphrase Oscar Wilde: To be hacked once may be regarded as a misfortune, to be hacked twice looks like carelessness.
