If the perpetrators are truly evil-doers, their theft of Adobe source code could mean bad things for the company and its customers, security experts said.


The theft of source code for Adobe Acrobat, Cold Fusion and other products poses a wide-spread threat given the installed base of these products, particularly Acrobat, security specialists said. Adobe disclosed the issue in a blog post on Thursday.

In the post, Adobe Chief Security Officer Brad Arkin wrote:

“Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems.”

Not good at all. This may be the biggest compromise of a software vendor’s security since the RSA Security stolen token meltdown two years ago.  While that was extremely embarrassing because RSA is explicitly in the software security business and big customers were dinged in the process, Adobe’s products are more widely used by more sorts of customers. Acrobat and Flash are nearly ubiquitous.

Update: In a statement, Hold Security, credited along with Brian Krebs with discovering the breach, said:

“Over 40 Gigabytes in encrypted archives have been discovered on a hackers’ server that appear to contain source code of such products as Adobe Acrobat Reader,Adobe Acrobat Publisher, and the Adobe ColdFusion line of products.  It appears that the breach of Adobe’s data occurred in early August of this year but it is possible that the breach was ongoing earlier.  While it is unclear at this time how the hackers obtained the source code and whether they analyzed or used it for malicious purposes, it appears that the data was taken and viewed by unauthorized individuals.”

Security experts said  this is serious business. “This is a source code breach not just a data breach,” said Dan Hubbard, CTO of web security vendor OpenDNS. “Having source code is a huge advantage because they can more easily hunt for and find weaknesses in the code. Before they’d have to run lots of black-box testing to do that.”

Another security specialist who could not speak on the record because he works with many of these vendors, agreed. “The issue here is that these guys will be able to find vulnerabilities and develop custom malware and use it privately before it ever goes public,” he said.

And, they could also outright sell the source code to China or other parties that could then develop counterfeit versions of the programs, he said.

Indeed, because Adobe products like Flash and Acrobat are so widely used, they’ve been prime targets in the past. One unstated motivation for Adobe moving to an all-cloud distribution model for its desktop software — or as critics called it “forced upgrades” — may have been to get a lot of old and unpatched software off the market.

As of now, Adobe is unaware of any zero-day exploits or specific increased risk to customers, but that may not make anyone feel any better. After all, Acrobat Acrobat Reader is installed on millions and millions of PC and Mac devices.

This story was updated at 6:30 p.m. PDT with additional information on Hold Security’s role in uncovering this breach.

You’re subscribed! If you like, you can update your settings

  1. Let’s rewind 2 years back to: Adobe, McAfee to Combine DRM and Data-loss Prevention


    1. thanks for that reminder. i had forgotten

    2. 3 Years. Its 3 Years back. Obviously its all bullshit anyway.

  2. Thomas Krafft Friday, October 4, 2013

    But in their defense, how could any company have possibly known that in the year 2013, mere decades after the development of connected internal and online networks, that a large company’s network and source-code, and millions of their user accounts and credit card information, might be vulnerable to hacking? I mean, the odds of such an event are similar to getting struck by lightning – if you strap yourself to the top of a very tall metal tower, in an otherwise empty field containing no other tall structures, in the middle of a lightning storm. So, basically, they had no reason to worry. Right?

  3. Nicolas Martin Friday, October 4, 2013

    Adobe is the most technically inept of all the tech companies. Since its inception, Adobe’s handling of Creative Cloud subscriptions has been abysmal, and this latest is a fiasco.

    1. Very true. They’re also single-handledly responsible for the killing of ColdFusion as a secure framework; doomed from the moment it was taken under their umbrella of mismanagement. When ColdFusion first came out, it was innovative, promising, and ahead of its time in the area of web and application development. This came to a halt when after a Macromedia buyout by Adobe, leading to a stall in the code and security evolution. Today, it’s riddled with security vulnerabilities, with over 3 significant breaches this year alone. Incomprehensible how one company can be so simultaneously incompetent on so many different ends.

  4. so why was credit card data and source code in the same area…and if the Intellectual Property crown jewels are in the area I’m willing to be crypto keys for any encrypted data is are in the same area

    1. Exactly. Why on earth is PCI data not segregated from everything else? Not rocket science people! Whomever their PCI QSA is might want to get a head start on umeployment…oh wait…government shutdown…shucks.

      1. They probably back _everything_ up to pdf in some central location.

    2. It wasn’t necessarily in the same area, but obviously if you’re an Adobe network administrator you need to be able to get to both. Seize those credentials, you can access any system that the IT department can get to. It’s like saying that, say, Time Warner Cable keeps their credit card information in the same place that your local library stores its book list just because you can get to both from the same network.

  5. Guess I will stay building in Silverlight…..

  6. Trying to prolong the confusion? Adobe Acrobat is not installed on millions of PCs; Adobe Reader is.

    1. i did shorthand. corrected the story. Acrobat Reader is affected.

  7. Guess the “suspicious” email I received from Adobe Customer Service about changing my password was right on the money. That is way bad.

    1. Actually no, Adobe are sending out legitimate emails to inform users that they might have been caught in the breach. You can manually type the provided web address into your browser to ensure you go to the correct reset page and don’t get click jacked or something.

      I received such an email and after some careful checking I saw it was genuine.

      1. I think he knew that.

  8. What’s “Bad, Real Bad” is the source code itself, I’ll bet. I don’t even know why anyone would touch such disgusting, bloated, poorly-made code, let alone take it. Eeww.

    Though if companies can make copy-cat products that actually WORK RIGHT, and are actually AFFORDABLE for the majority of the population, I’d give ‘em an approving nod at least.

    Adobe has refused to do those themselves for so long, it’s way past time they stop having such a monopoly on the popular formats under their unreasonable demands for their terrible programs.

    There’s no way they’ll fix this problem in time to protect the customers or products if the hacker’s going malicious. Look how long it’s taken them to get Flash to go 64 bit! How they chose to remove Flash support from Droid phones/tablets rather than fix all the glaring issues, rendering a HUGE amount of websites and content unviewable!

    Anyone who buys an Adobe product is already punished, by insanely high prices, and then by HORRIBLE products. And now they might get punished yet again. For making the mistake of supporting such a crappy company.

    Most other companies, I’d feel sorry for, but I’d know that they’d quickly rectify the issue anyway. But neither for Adobe. All I can do is laugh, eat popcorn, and watch whatever happens next if something does.

    1. Having coldfusion source being out is terrible. Have a webserver with secured data that uses coldfusion? Sucks to be us for the next few years.

  9. Hans Magnus Mikalsen Nedreberg Saturday, October 5, 2013

    Adobe killed Flash too, and all Flash applications and components created by Adobe are terrible memory leaking monsters.

    1. Yep. Macromedia had it working fine. While HTML5 does wonders for us, Flash was already sound and awesome.

      1. Flash was never sound, nor awesome. Sorry pal.

    2. Correction: Steve Jobs killed Flash.

    3. Flash was decent until multi-core CPU’s came along and the single-thread performance started going down. Adobe has done nothing to improve the situation, and has only ever focused on the software video rendering since Flash 9

Comments have been disabled for this post