By Joseph Menn
BOSTON Oct 3 Adobe Systems Inc said on
Thursday that hackers had stolen source code to some of its most
popular software and data about millions of its customers.
Security experts worry about the theft of source code
because close review of the programs can lead to the discovery
of new flaws that can be used to launch hard-to-detect attacks
against all users of that software.
The hackers took source code for Adobe Acrobat, which is
used to create electronic documents in the PDF format, as well
as ColdFusion and ColdFusion Builder, used to create Internet
applications, Adobe said.
Adobe Chief Security Officer Brad Arkin said the company had
been investigating the breach since its discovery two weeks ago
and that it had no evidence of any attacks based on the theft.
"Based on our findings to date, we are not aware of any specific
increased risk to customers as a result of this incident," Arkin
wrote on an Adobe blog.
Arkin said hackers also took information on 2.9 million
Adobe customers, including their names, user identification
numbers and encrypted passwords and payment card numbers. He
said the attacks may be related.
The company said it was resetting passwords for affected
customers worldwide and warning people to change any passwords
reused at other sites. The U.S. Department of Homeland
Security's computer incident response team on Thursday warned
that Adobe customers should be on the alert for fraud.
Adobe said it was working with banks and federal law
enforcement to mitigate intrusions on customer accounts and to
pursue those responsible.
The company said it had been helped by cybersecurity
journalist Brian Krebs and security expert Alex Holden, who
found a cache of Adobe code while probing attacks at three major
U.S. data providers.
Krebs wrote on his blog, KrebsonSecurity.com, on Thursday
that the two men discovered the code while investigating
breaches at Dun & Bradstreet Corp, Altegrity Inc's
Kroll Background America Inc and Reed Elsevier's
LexisNexis Inc.
He said the Adobe code was on a server that he believed was
used by those who hacked into LexisNexis and the others. The
hackers offered Social Security numbers, credit report
information and other highly sensitive data for sale over the
Internet and had access inside the companies' websites through
hacked computers, Krebs said.
In a 10-Q filing on Thursday, Adobe referred to the recent
attacks in one paragraph. "We do not believe that the attacks
will have a material adverse impact on our business or financial
results," it said. "It is possible, nevertheless, that this
incident could have various adverse effects."