On Thursday, Adobe announced a data breach that affected 2.9 million of its customers. The types of data elements accessed and stolen included customer names, ID numbers, encrypted passwords, encrypted credit- and debit card numbers, expiration dates, and information related to customers' software orders. At the time of the breach announcement, Adobe does not believe that unencrypted credit- and debit card numbers were stolen.
Adobe is working with its partners and law enforcement to investigate the breach and resolve the situation. Besides notifying affected customers' banks, Adobe is:
"... resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password... notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you..."
Adobe will offer affect customers one year of free credit-monitoring services.Perhaps most troubling is that during the Adobe breach, hackers modified and/or stole the company's source code for several of its products. Reportedly, products with stolen source code included Adobe Acrobat and ColdFusion. Adobe produces several other proudcts including Photoshop, which is available through the company's Creative Cloud service.
The Krebs On Security blog announced the breach before Adobe confirmed it:
"... hackers accessed a source code repository sometime in mid-August 2013, after breaking into a portion of Adobe’s network that handled credit card transactions for customers... affected customers — which include many Revel and Creative Cloud account users... Adobe is still in the process of determining what source code for other products may have been accessed by the attackers, and conceded that Adobe Acrobat may have been among the products the bad guys touched..."
Krebs On Security reported that the hackers behind the Adobe breach are the the same group behind the NW3C breach:
"...the attackers appear to have initiated the intrusion into the NW3C using a set of attack tools that leveraged security vulnerabilities in Adobe’s ColdFusion Web application server..."
The modified and/or stolen source code for Adobe software products is particularly alarming and troublesome because it becomes very easy for hackers and thieves to insert malware inside of product software to do far more damage, identity theft, and data breaches. It undermines totally the security of the software.