Adobe has said Thursday that it recently suffered a massive security breach which compromised the IDs, passwords, and credit card information of nearly three million customers.
"Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders," Brad Arkin, Adobe's chief security officer, wrote in a security alert.
Arkin said the unknown attackers made off with encrypted credit and debit card numbers, "[a]t this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems."
The software firm also said "source code for numerous Adobe products" was stolen in a separate intrusion that could be related to the theft of customer information.
Adobe said it had alerted federal law enforcement authorities of the attacks as well as informing its banking and payment processing partners. The company said it would reset "relevant customer passwords" as a precaution, with affected customers due to receive email notifications instructing them to change their Adobe passwords. Arkin also recommended that any affected customers who use the same password for other sites as they do for Adobe change their login details for those other sites as well.
The company said customers whose credit or debit card information was compromised would be offered a year's membership in a credit monitoring service courtesy of Adobe.
"We will work aggressively to prevent these types of events from occurring in the future. Again, we deeply regret any inconvenience this may cause you," Arkin said.
Adobe did not specify which of its products were compromised in the source-code theft, but Brian Krebs of the Krebs on Security blog, which reported the security breach several hours before Adobe officially acknowledged it, said the "ColdFusion Web application platform and possibly [the] Acrobat family of products" were among those affected.
Krebs said that last week, he and fellow security researcher Alex Holden of Hold Security "discovered a massive 40GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet, and Kroll." The collection of compiled and uncompiled code "appeared to be source code for ColdFusion and Adobe Acrobat," he reported.
Image credit: Flickr (boodahjoomusic)