Adobe hacked: Software company warns personal info for millions of customers has been stolen


posted Friday, October 4, 2013 at 1:43 PM EDT


Does your digital darkroom include software from Adobe? If so, now might be a good time to change the password for your Adobe ID account, and perhaps to double-check the recent history of your charge card. The Californian software company has today disclosed a major security breach, accompanied by the theft of personal and financial details for some 2.9 million Adobe customers, as well as login information for an unspecified number, and source code for some of its applications.

According to a statement from Adobe's chief security officer, Brad Arkin, the stolen information includes customer names and IDs, passwords, credit or debit card numbers, expiration dates, and other unidentified information about customer orders. Fortunately, the company believes that the most crucial data stolen -- the passwords and charge card numbers -- were all in encrypted form, which will make it harder for hackers to use the information. How much harder, though, is an open question. Adobe has not yet revealed how the data was encrypted, and whether it was salted, increasing the difficulty of cracking the encryption with techniques such as rainbow tables.

Arkin notes that customers whose details are believed to have been compromised will be receiving notification from the company, and will find that their Adobe ID password has been reset. There's always the possibility that mail could go astray, though, so we'd suggest logging into your account now, and changing your password to be on the safe side. (And if you use the same password on other sites, it would likely be advisable to change it everywhere that you've been using it.)

Adobe has notified both federal law enforcement, and the banks responsible for processing its customer payments, notes Arkin. As for those customers whose charge card information may have been stolen, Adobe has pledged to provide a year of free credit monitoring to affected individuals. If the option is available to you -- and we'd guess that will depend on your location -- it's one we'd strongly recommend taking up.

As well as the theft of customer information, hackers also stole source code for Adobe products, but the company hasn't yet disclosed which apps may have been compromised. According to the well-known blog Krebs on Security, which apparently discovered some 40 gigabytes of Adobe source on a server known to be used by cyber criminals a week ago, Adobe's ColdFusion and Acrobat products are likely among the apps for which source code is now in the wild. The availability of the source code to hackers increases the risk of zero-day exploits, but Adobe notes that it is not currently aware of any specific increased risk from the breach.

If you have an Adobe ID, you'll find information on how to reset your password here. More info can be found in the statement from Arkin on Adobe Featured Blogs, as well as the Krebs on Security blog.

(Adobe sign image courtesy of midiman / Flickr, used under a Creative Commons CC BY 2.0 license.)