Adobe Systems has reported a massive security breach that could impact up to 2.9 million Adobe customers.
According to Brad Arkin, Adobe’s chief security officer, cyber-attackers compromised information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates and other information relating to customer orders.
“At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems,” Arkin said in a blog post. “We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident.”
Arkin said as a precaution, Adobe is resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. Any Adobe customer whose user ID and password were involved will receive an email notification from the company with information on how to change their password. Adobe also recommends that users change their passwords on any Websites where they may have used the same user ID and password.
Adobe is in the process of notifying customers whose credit or debit card information the company believes to be involved in the incident.
“If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you,” Arkin said. “Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.”
Moreover, Adobe has notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts. And the company has contacted federal law enforcement and is assisting in their investigation.
“Cyber-attacks are one of the unfortunate realities of doing business today,” Arkin said. “Given the profile and widespread use of many of our products, Adobe has attracted increasing attention from cyber-attackers. Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. We believe these attacks may be related.”
Meanwhile, Adobe also is investigating the illegal access to source code of numerous Adobe products, he said. “Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident,” he added.
In a separate post, Arkin said Adobe is investigating the illegal access of source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products by an unauthorized third party.
“Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident,” he said, giving a shout out to Brian Krebs of KrebsOnSecurity.com and Alex Holden, chief information security officer at Hold Security, for their help in Adobe’s response to this incident.
“We are not aware of any zero-day exploits targeting any Adobe products,” Arkin said. “However, as always, we recommend customers run only supported versions of the software, apply all available security updates and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide. These steps are intended to help mitigate attacks targeting older, unpatched or improperly configured deployments of Adobe products.”