Massive Adobe security breach exposes 2.9M customers

Adobe Systems Inc. said 2.9 million customers had their IDs, passwords and credit-card data stolen by hackers who breached the U.S. software company's security. "We deeply regret that this incident occurred," Chief Security Officer Brad Arkin said in a blog post. "We're working diligently internally, as well as with external partners and law enforcement, to address the incident." The software company, known for its Photoshop graphics editing program, Acrobat PDF document readers and other programs, also said source code for numerous Adobe products was stolen in a separate but related intrusion. Products whose source code was stolen include the Acrobat family of products, the ColdFusion Web application platform, ColdFusion Builder and unspecified other Adobe products, the San Jose, Calif., company said. "Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident," Adobe said. But Alex Holden, chief security officer of Hold Security LLC, said the source-code theft could give hackers access to individual and corporate systems that use Adobe software, raising the specter of new attacks. "Effectively, this breach may have opened a gateway for a new generation of viruses, malware and exploits," he wrote in a blog post. Holden and Brian Krebs of the Krebs on Security blog were the first to identify and report the source-code thefts. Adobe said it thanked them for their help. Adobe -- which said the "sophisticated attacks" were carried out "very recently" -- said the 2.9 million customers' stolen information included their names, encrypted information about their credit or debit cards, the cards' expiration dates and "other information about customer orders." The company said it reset affected customers' passwords and contacted them by email with instructions about changing the passwords again. Adobe also recommended those users change their passwords for other websites since the passwords, which they might use elsewhere, were now known to the hackers. Adobe added it would send information showing customers how to guard against credit-card fraud. The company offered those customers a complimentary one-year credit-monitoring membership. In addition, Adobe said it notified banks about the attacks so they can help protect customer accounts.