Adobe Systems, makers of popular software such as Acrobat, admitted on Thursday that hackers had penetrated its systems and stolen source code for its Acrobat and ColdFusion software. Adobe also admitted that hackers had stolen data on 2.9 million customers, including names and encrypted passwords.
The theft of source code is what has alarmed security experts the most, according to a Reuters report. “Source code” can be used to craft new “zero day” attacks, which are hard to detect or defend against.
ESET Researcher Stephen Cobb said that this attack was, “pretty much unprecedented” in terms of the potential risks it posed.
“We have seem previous breaches of customer information that were bigger than this, but if, as Brian Krebs suggests, the source code of Adobe Acrobat has been compromised, that would be pretty much unprecedented,” Cobb said.
“According to Adobe’s own figures, there are hundreds of millions of instances of Adobe Reader and Acrobat, across all major computing platforms, including Windows, Mac, iOS and Android,” Cobb says. Access to the source code could be a major asset for cybercriminals looking to target those platforms.
Adobe insists that thus far, criminals have not used the source code to create new attacks.
“We are not aware of any zero-day exploits targeting any Adobe products,” Adobe Chief Security Officer Brad Arkin said in a company blog. Arkin said that the company had been investigating the breach since its discovery two weeks ago.”Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident,” Arkin said.
Arkin said that customers applied all available security updates to “help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products.” Adobe has initiated a password reset for the 2.9 million users affected by the breach.
The company thanked Brian Krebs of Krebs on Security for his help with responding to the incident. Krebs found evidence that Adobe’s servers had been breached while investigating an identity theft ring earlier this year.
“KrebsOnSecurity first became aware of the source code leak roughly one week ago,” Krebs wrote, “When this author – working in conjunction with fellow researcher Alex Holden, CISO of Hold Security LLC – discovered a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll. The hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat.”
The hacking team used the data from LexisNexis and Kroll to operate an “identity theft service”, which was uncovered in a long investigation by Krebs, and reported on Krebs on Security.
Krebs’s report related to a website – ssndob[dot]ms – which Krebs said had been offering personal data on any U.S. resident for two years, including addresses, birth dates, and credit and background checks, with prices ranging from 50c to $15.The site stole 3.1 million date-of-birth records and over a million social security numbers – and offered data on famous Americans including Michelle Obama, Beyonce and the director of the CIA.
Author Rob Waugh, We Live Security