While their investigations are still ongoing, Adobe has shared a few details on what they believe could have been accessed and obtained in the hack — and it’s a big one.
From what Adobe has shared so far, it sounds like the hackers had access to encrypted data for as many as 2.9 million customers. While Adobe stresses that the data is encrypted and that they “do not believe the attackers removed decrypted credit or debit card numbers”, that data — encrypted or not — is definitely not something they want out in the wild.
Adobe has yet to disclose how that data was encrypted, so it’s currently unclear just how secure it is.
Meanwhile, it also appears that the hackers may have been able to access the source code for at least three of Adobe’s products: Acrobat, ColdFusion, and ColdFusion Builder. This goes hand in hand with a report from Brian Krebs this morning, who noted that he and a fellow researcher had discovered at least 40GB of Adobe source code available on a hacking group’s private server.
Beyond the obvious business implications of having your otherwise locked down source code floating around in the wild, there are potentially massive security concerns here. Once you’ve got the source code for an application in hand, it becomes much easier to dig up the stealthy lil’ security screw ups that might otherwise go unnoticed. Combine this new potential for big zero-day exploits with the many, many millions of Adobe Acrobat (Adobe’s official PDF reader) installs around the world, and this all starts to get pretty worrisome.
source1.