In a blog post published two days ago, Adobe Inc., the publisher of Adobe Acrobat, Coldfusion and many, many other titles, has reported that their infrastructure was hacked and source code of several products was stolen.
Additionally, the company said hackers also accessed nearly three million customer credit card records, and stole login data for an undetermined number of Adobe user accounts. Adobe said the credit card numbers were encrypted and that the company does not believe decrypted credit card numbers left its network. Nevertheless, the company said that later today it will begin the process of notifying affected customers — which include many Revel and Creative Cloud account users — via email that they need to reset their passwords. A separate customer security alert for users affected by this breach is published on Adobe’s website.
The most disturbing news is that, according to Krebs, Adobe knew about the data breach since mid-August and since September 17th are actively investigating it.
This is bad news for Adobe and for the users that are paying clients of Adobe.
What about the rest of the Adobe users (free) like those of Acrobat Reader, Fusion, Flash and others?
This is the biggest problem in my opinion. If the attackers find some vulnerabilities in the stolen code, they will be basically the only ones that know about them. This way they will be in possession of an exploit that can’t be detected by any security software and even by Adobe (that could fix the vulnerabilities that might get exploited).
In the same time, Adobe published information about releasing critical security updates next Tuesday,October 8, 2013, for Adobe Acrobat and Adobe Reader. This is a very suspicious coincidence in my opinion. Could it be, that Adobe knew about some vulnerabilities that didn’t get publish yet?
Time will tell.
Until things get fully clarified, please don’t open documents of Adobe products that come from untrusted or unknown sources. You never know…