Adobe has been hit with a massive cyber attack, where hackers obtained customer IDs, passwords and encrypted credit card information of more than 2.9 million customers. Adobe believes the hackers also breached source-code data of several Adobe products, including Acrobat and ColdFusion. 

Bala Venkat, chief marketing officer for Web application security firm Cenzic, put it simply: “Adobe has lost their ‘crown jewels,’ and because every enterprise worldwide uses Adobe in one way or another, the impact is enormous.”
The software giant behind products like Photoshop, InDesign and Shockwave Flash announced last week they had been hit by two separate attacks targeting customer and company information. Adobe is in the process of sending password-reset e-mails and customer security alerts to affected customers to try to mitigate the damage, but there’s a bit of a problem with that approach.

According to independent security reporter Brian Krebs, Adobe has known about the breach since Sept. 17, and they believe the attack happened sometime in mid-August. Considering those customers’ information has been in the hackers’ hands for nearly two months, resetting passwords and canceling credit cards at this point may be moot.

Krebs and a fellow researcher discovered the breach last week, when they found 40GB of Adobe’s source code stashed on a server used by the same cyber criminals believed to be behind cyber attacks on major data aggregators such as LexisNexis earlier this year. Only after the pair shared their findings with Adobe did the company announce the breach, which they’ve been investigating since mid-September.

Adobe’s investigation is still in its early stages, and the company hasn’t finished unearthing the full scope of what data may have been compromised.

“We’re still at the brainstorming phase to come up with ways to provide higher level of assurance for the integrity of our products, and that’s going to be a key part of our response,” said Adobe chief security officer Brad Arkin told Krebs. “We are looking at malware analysis and exploring the different digital assets we have. Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched.”

Who knows how long Adobe might have sat on the information without the outside investigation forcing their hand. The attack has thrown the viability and security of Adobe’s Creative Cloud, the centerpiece of their SaaS push, in jeopardy, and information security professionals have come out of the woodwork to comment on the implications of the breach.