Adobe is warning nearly three million of its customers that their credit card data was breached – and that the intruders also appear to have stolen product source code via “sophisticated attacks.”
On Thursday, Adobe CSO Brad Arkin announced in a blog post that the company is notifying by letter customers whose credit or debit card numbers and expiration dates were accessed. Adobe is also resetting customer passwords, as hackers obtained an undisclosed number of Adobe customer IDs and encrypted passwords in the attacks.
“Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products,” Arkin wrote. “We believe these attacks may be related.”
Arkin later added that “we do not believe the attackers removed decrypted credit or debit card numbers from our systems.”
Banks that process customer payments for Adobe were notified of the breach, and the company is assisting federal police in an investigation.
In an earlier blog post published on Wednesday, Arkin revealed a number of Adobe products where source code was purloined by saboteurs: Adobe Acrobat, ColdFusion, ColdFusion Builder, as well as other products were impacted.
Security blogger Brian Krebs and Alex Holden, CISO at Hold Security, aided Adobe in responding to the incident, Arkin wrote on Wednesday.
On his website, Krebs wrote on Thursday that he and Holden discovered the source code leak about a week earlier. Krebs posted a screen shot of the stolen source code, which he and Holden found on a server operated by the hackers.
The investigations led the security experts to believe that the attackers were the same criminals that hacked other entities, including LexisNexis and more recently, the National White Collar Crime Center (NW3C). According to Krebs, the attackers leveraged vulnerabilities in Adobe’s ColdFusion Web application server to compromise NW3C between late May and August 17.
Krebs revealed that Adobe had launched its own investigation on the breach as of Sept. 17, and that the company confirmed that hackers likely accessed the source code around mid-August.