Blog Post

Adobe source code breach; it’s bad, real bad

The theft of source code for Adobe(s adbe) Acrobat, Cold Fusion and other products poses a wide-spread threat given the installed base of these products, particularly Acrobat, security specialists said. Adobe disclosed the issue in a blog post on Thursday.

In the post, Adobe Chief Security Officer Brad Arkin wrote:

“Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems.”

Not good at all. This may be the biggest compromise of a software vendor’s security since the RSA Security(s emc) stolen token meltdown two years ago.  While that was extremely embarrassing because RSA is explicitly in the software security business and big customers were dinged in the process, Adobe’s products are more widely used by more sorts of customers. Acrobat and Flash are nearly ubiquitous.

Update: In a statement, Hold Security, credited along with Brian Krebs with discovering the breach, said:

“Over 40 Gigabytes in encrypted archives have been discovered on a hackers’ server that appear to contain source code of such products as Adobe Acrobat Reader,Adobe Acrobat Publisher, and the Adobe ColdFusion line of products.  It appears that the breach of Adobe’s data occurred in early August of this year but it is possible that the breach was ongoing earlier.  While it is unclear at this time how the hackers obtained the source code and whether they analyzed or used it for malicious purposes, it appears that the data was taken and viewed by unauthorized individuals.”

Security experts said  this is serious business. “This is a source code breach not just a data breach,” said Dan Hubbard, CTO of web security vendor OpenDNS. “Having source code is a huge advantage because they can more easily hunt for and find weaknesses in the code. Before they’d have to run lots of black-box testing to do that.”

Another security specialist who could not speak on the record because he works with many of these vendors, agreed. “The issue here is that these guys will be able to find vulnerabilities and develop custom malware and use it privately before it ever goes public,” he said.

And, they could also outright sell the source code to China or other parties that could then develop counterfeit versions of the programs, he said.

Indeed, because Adobe products like Flash and Acrobat are so widely used, they’ve been prime targets in the past. One unstated motivation for Adobe moving to an all-cloud distribution model for its desktop software — or as critics called it “forced upgrades” — may have been to get a lot of old and unpatched software off the market.

As of now, Adobe is unaware of any zero-day exploits or specific increased risk to customers, but that may not make anyone feel any better. After all, Acrobat Acrobat Reader is installed on millions and millions of PC and Mac(s appl) devices.

This story was updated at 6:30 p.m. PDT with additional information on Hold Security’s role in uncovering this breach.

45 Responses to “Adobe source code breach; it’s bad, real bad”

  1. Adobe sent me this comment in an email, “Adobe is not aware of any specific increased risk to customers as a result of this incident.” What a jerk-off thing to say! Of course customers are at risk you bastards! How dare you try and play it down. I’m really beginning to despise this company.

  2. Gearmesh

    Adobe as a company should not be allowed on the Internet. Go back to selling a boxed product off the self on a CD/DVD. Everything you do on the web is compromised. Adobe get yourself some new network and security engineers.

  3. Fernando

    Flash was decent until they started making applications and games with it.
    I have no problem, i use evince instead of Reader. I made the change when I saw that Adobe was using Reader to infiltrate Adobe Air in the computers, this make it bloated, slow, it have to update too many times and a security risk, so if they took the source to Adobe Reader, they have the source to Adobe Air.

  4. Don Gateley

    Early on this was a highly competent and ethical company. It no longer even deserves the name. From the withdrawal of the founders onward it has sunk like a ship without a bottom.

  5. Adobe can’t keep their own software save. What ever gave them the idea that they could keep our personal info including credit card numbers safe.


    This CEO needs to GO!

  6. Macomedia never needed to get Flash running on mobile devices. Sales of smartphones and tablets keep increasing while sales of desktops and laptops continue to drop. I haven’t bought any Adobe products in over 15 years. They’re vastly overpriced.

  7. Lama thubwang

    I am a serious computer user and use software from our Adobe, its a pity that everything has gone cloud, tech is not really up to it on the moment. So as an engineer i am not into cloud stuff, its asking for trouble and Adobe is risking losing a lot of midrange users and increasing using illigal copies of CS5 and CS6. The users using hacked forms of the CS suites are also very aware of cloud dangers because they are computer handy people. Lucky I bought CS6 the traditional way and running it ‘on board’ I think its very unfortunate for Adobe, after all these types of codes is still very much a mudhouse.

  8. zacloud

    What’s “Bad, Real Bad” is the source code itself, I’ll bet. I don’t even know why anyone would touch such disgusting, bloated, poorly-made code, let alone take it. Eeww.

    Though if companies can make copy-cat products that actually WORK RIGHT, and are actually AFFORDABLE for the majority of the population, I’d give ’em an approving nod at least.

    Adobe has refused to do those themselves for so long, it’s way past time they stop having such a monopoly on the popular formats under their unreasonable demands for their terrible programs.

    There’s no way they’ll fix this problem in time to protect the customers or products if the hacker’s going malicious. Look how long it’s taken them to get Flash to go 64 bit! How they chose to remove Flash support from Droid phones/tablets rather than fix all the glaring issues, rendering a HUGE amount of websites and content unviewable!

    Anyone who buys an Adobe product is already punished, by insanely high prices, and then by HORRIBLE products. And now they might get punished yet again. For making the mistake of supporting such a crappy company.

    Most other companies, I’d feel sorry for, but I’d know that they’d quickly rectify the issue anyway. But neither for Adobe. All I can do is laugh, eat popcorn, and watch whatever happens next if something does.

    • Adobe =man

      Actually no, Adobe are sending out legitimate emails to inform users that they might have been caught in the breach. You can manually type the provided web address into your browser to ensure you go to the correct reset page and don’t get click jacked or something.

      I received such an email and after some careful checking I saw it was genuine.

  9. so why was credit card data and source code in the same area…and if the Intellectual Property crown jewels are in the area I’m willing to be crypto keys for any encrypted data is are in the same area

    • Exactly. Why on earth is PCI data not segregated from everything else? Not rocket science people! Whomever their PCI QSA is might want to get a head start on umeployment…oh wait…government shutdown…shucks.

    • It wasn’t necessarily in the same area, but obviously if you’re an Adobe network administrator you need to be able to get to both. Seize those credentials, you can access any system that the IT department can get to. It’s like saying that, say, Time Warner Cable keeps their credit card information in the same place that your local library stores its book list just because you can get to both from the same network.

  10. Nicolas Martin

    Adobe is the most technically inept of all the tech companies. Since its inception, Adobe’s handling of Creative Cloud subscriptions has been abysmal, and this latest is a fiasco.

    • Deepraj Kunnath

      Very true. They’re also single-handledly responsible for the killing of ColdFusion as a secure framework; doomed from the moment it was taken under their umbrella of mismanagement. When ColdFusion first came out, it was innovative, promising, and ahead of its time in the area of web and application development. This came to a halt when after a Macromedia buyout by Adobe, leading to a stall in the code and security evolution. Today, it’s riddled with security vulnerabilities, with over 3 significant breaches this year alone. Incomprehensible how one company can be so simultaneously incompetent on so many different ends.

  11. Thomas Krafft

    But in their defense, how could any company have possibly known that in the year 2013, mere decades after the development of connected internal and online networks, that a large company’s network and source-code, and millions of their user accounts and credit card information, might be vulnerable to hacking? I mean, the odds of such an event are similar to getting struck by lightning – if you strap yourself to the top of a very tall metal tower, in an otherwise empty field containing no other tall structures, in the middle of a lightning storm. So, basically, they had no reason to worry. Right?