Hackers steal Adobe product source code and credit card data of three million customers

Share this article:

Adobe is warning nearly three million of its customers that their credit card data was breached – and that the intruders also appear to have stolen product source code via “sophisticated attacks.”

On Thursday, Adobe CSO Brad Arkin announced in a blog post that the company is notifying by letter customers whose credit or debit card numbers and expiration dates were accessed. Adobe is also resetting customer passwords, as hackers obtained an undisclosed number of Adobe customer IDs and encrypted passwords in the attacks.

“Very recently, Adobe's security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products,” Arkin wrote. “We believe these attacks may be related.”

Arkin later added that “we do not believe the attackers removed decrypted credit or debit card numbers from our systems.”

Banks that process customer payments for Adobe were notified of the breach, and the company is assisting federal police in an investigation.

In an earlier blog post published on Wednesday, Arkin revealed a number of Adobe products where source code was purloined by saboteurs: Adobe Acrobat, ColdFusion, ColdFusion Builder, as well as other products were impacted.

Security blogger Brian Krebs and Alex Holden, CISO at Hold Security, aided Adobe in responding to the incident, Arkin wrote on Wednesday.

On his website, Krebs wrote on Thursday that he and Holden discovered the source code leak about a week earlier. Krebs posted a screen shot of the stolen source code, which he and Holden found on a server operated by the hackers.

The investigations led the security experts to believe that the attackers were the same criminals that hacked other entities, including LexisNexis and more recently, the National White Collar Crime Center (NW3C). According to Krebs, the attackers leveraged vulnerabilities in Adobe's ColdFusion Web application server to compromise NW3C between late May and August 17.

Krebs revealed that Adobe had launched its own investigation on the breach as of Sept. 17, and that the company confirmed that hackers likely accessed the source code around mid-August.

Share this article:

Sign up to our newsletters

More in News

Apple's iOS 7.1.1 fixes Webkit bugs, encryption bypass issue

Released Tuesday, the update prevents exploit via "triple handshake" attacks, which could allow a bypass of encryption safeguards.

'Unauthorized' media contact a fireable offense for U.S. intel employees

The new media policy states that U.S. intelligence employees who have "unauthorized" contact with the media could lose their jobs.

AOL Mail hack furthers spam campaign using spoofed accounts

AOL confirmed on Monday that it was aware of the issue and working to remediate the situation.