A sophisticated attack on the Adobe network and across numerous Adobe products like Acrobat has affected at least 2.9 million customers. Adobe’s investigation points to two related attacks in which the attackers gained illegal access to source code for at least three of its products and stole customer information such as names and encrypted credit or debit card numbers, expiration dates and data related to customer orders.
Adobe’s Chief Security Officer, Brad Arkin, recommends “customers run only supported versions of the software, apply all available security updates, and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide. These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products.”
Brian Krebs, of KrebsOnSecurity.com, reports, “Adobe said the credit card numbers were encrypted and that the company does not believe decrypted credit card numbers left its network.” Let’s hope so. In the meantime, the company has begun notifying affected customers and is planning to release security updates on Tuesday, October 8, 2013 for Adobe Reader and Acrobat XI (11.0.04) for Windows.
A customer security alert on Adobe.com asks customers to reset their passwords and assures, “We are working diligently internally, as well as with external partners and law enforcement, to address the incident.”