Last month, Adobe, not a fan of candid transparency, “thanked” Brian Krebs for pressuring them to confirm vaguely that Adobe’s own systems had been hacked into and that its prized source code of its marquee products including Acrobat, ColdFusion and Photoshop, in addition to 2.9 million customer credit cards, purportedly over 40GB of source code and account credentials for somewhere between 38 and 152 million users were in the wind, found by a security professional on a server associated with criminal hackers, believed to be the largest corporate hack in history.
By “in the wind” I mean I’m two gigs into my own download of this data from a quickly-googled Mega link. Everyone has access to it from rubberneckers to bad guys and security experts have confirmed it’s the real deal. According to the NYTimes last week, whatever encryption present in these Adobe files is not effective.
More and more news items are being tied to this, including “tip of the iceberg” toned articles, most recently Facebook’s decision to prompt its users who Facebook discovered had used the same credentials in the Adobe breach to change their Facebook password and answer security questions.
Other large companies are following their lead (and keeping the story in the news, which is hopefully prompting many more Adobe customers to take precautions), including the redoubtable Diapers.com, Soap.com and WordPress.com which made their announcement just last Wednesday.
Who else? The US Army, Department of Energy, Department of Health and Human Services are in the news for being advised by the FBI that their systems were compromised due to Adobe software being infiltrated.
Earlier in the year, PR Newswire’s network and systems were compromised, including their user data, found on the same server the hackers used to store the Adobe source code and that their ColdFusion systems were subjected to a large-scale distributed attack shortly before the breach reportedly occurred. That doesn’t prove it wouldn’t have happened without the source code breach, but in the court of the media, of course it does.
Also in the news last week, Adobe was hit with a class action lawsuit for security incompetence and a failure to reveal the extent of the damage and warn its users accordingly and timely. And Photoshop’s source code was added to the list of what was confirmed to have been leaked.
Adobe Acrobat, Acrobat Reader and Coldfusion, along with most of Adobe’s other software, have had their share of vulnerabilities and exploits over the years. Hackers having a program’s source code makes their job of finding vulnerabilities much easier which is why companies go to extreme lengths to keep a lid on that data. Among the things that are unclear is if any sensitive Adobe data wasn’t leaked. A number that’s tough to ballpark is how many people in the world need to worry about identity theft and their organization’s digital security as a result of the breach.
A few more items from last week, Google’s developer release of Chrome, rather than launching Adobe Acrobat, loads PDFs with its own built-in reader that is sandboxed. That feels related to me, a move that would have made less sense if Adobe ran a tighter ship.
The kicker: Wall Street’s take on this clusterfudge? Adobe’s stock closed at an all-time high Friday.