By Joseph Menn
BOSTON, Oct 3 (Reuters) - Adobe Systems Inc said onThursday that hackers had stolen source code to some of its mostpopular software and data about millions of its customers.
Security experts worry about the theft of source codebecause close review of the programs can lead to the discoveryof new flaws that can be used to launch hard-to-detect attacksagainst all users of that software.
The hackers took source code for Adobe Acrobat, which isused to create electronic documents in the PDF format, as wellas ColdFusion and ColdFusion Builder, used to create Internetapplications, Adobe said.
Adobe Chief Security Officer Brad Arkin said the company hadbeen investigating the breach since its discovery two weeks agoand that it had no evidence of any attacks based on the theft."Based on our findings to date, we are not aware of any specificincreased risk to customers as a result of this incident," Arkinwrote on an Adobe blog.
Arkin said hackers also took information on 2.9 millionAdobe customers, including their names, user identificationnumbers and encrypted passwords and payment card numbers. Hesaid the attacks may be related.
The company said it was resetting passwords for affectedcustomers worldwide and warning people to change any passwordsreused at other sites. The U.S. Department of HomelandSecurity's computer incident response team on Thursday warnedthat Adobe customers should be on the alert for fraud.
Adobe said it was working with banks and federal lawenforcement to mitigate intrusions on customer accounts and topursue those responsible.
The company said it had been helped by cybersecurityjournalist Brian Krebs and security expert Alex Holden, whofound a cache of Adobe code while probing attacks at three majorU.S. data providers.
Krebs wrote on his blog, KrebsonSecurity.com, on Thursday that the two men discovered the code while investigatingbreaches at Dun & Bradstreet Corp, Altegrity Inc's Kroll Background America Inc and Reed Elsevier's LexisNexis Inc.
He said the Adobe code was on a server that he believed wasused by those who hacked into LexisNexis and the others. Thehackers offered Social Security numbers, credit reportinformation and other highly sensitive data for sale over theInternet and had access inside the companies' websites throughhacked computers, Krebs said.
In a 10-Q filing on Thursday, Adobe referred to the recentattacks in one paragraph. "We do not believe that the attackswill have a material adverse impact on our business or financialresults," it said. "It is possible, nevertheless, that thisincident could have various adverse effects."
- Information Technology
- Technology & Electronics
- Adobe Systems Inc
- Adobe Acrobat