Cyber security expert Brian Krebs says he tipped Adobe to the possibility that its systems may have been breached after he found 40 GB of Adobe source code stowed away on a server that had been used by hackers alleged to have attacked LexisNexis, Dun & Bradstreet and others earlier in the year.
Adobe says the breach appears to have occurred in mid-August, with the digital thieves making off with encrypted credit/debit card and other personal data for around 2.9 million users and name/password combinations for a currently undetermined number of customers.
“As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts,” wrote Adobe in its announcement of the hack. “If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. We also recommend that you change your passwords on any website where you may have used the same user ID and password.”
Similarly, customers whose credit card info may have been compromised will be contacted by Adobe, offering them the option of enrolling in a one-year complimentary credit monitoring membership where available.
“We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts,” says the company, which says it is working with federal law enforcement to find the hackers.
“We are in the early days of what we expect will be an extremely long and thorough response to this incident,” Adobe’s Chief Security Officer, who has probably had better weeks, tells Krebs.
As for concerns that the exposed source code might open up existing Adobe products to security concerns, the Adobe exec says, “We are looking at malware analysis and exploring the different digital assets we have. Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched.”