Adobe hacking: customer credit card details and Adobe source code stolen

Adobe is the latest big name to have been hacked. According to the company source code for numerous Adobe products including Acrobat and ColdFusion has been stolen, customer IDs and passwords have been accessed and card details for 2.9 million customers stolen in a sophisticated cyber-attack on its website. The breach was initially carried out in mid-August but was not spotted until September 17. However, whilst Adobe accepts that the attackers had accessed encrypted customer passwords and payment card numbers, it believes that decrypted debit or credit card data was not removed.

In a statement Adobe, Brad Arkin, Adobe’s chief security officer, said:

“Very recently Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders, as well as source code for numerous Adobe products.  We deeply regret that this incident occurred. Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.”

However industry experts are concerned that the attack has been played down and that the full extent of the hack has yet to be appreciated. Chester Wisniewski, senior adviser at internet security company Sophos, told the BBC:

“Access to the source code could be very serious. Billions of computers around the world use Adobe software, so if hackers manage to embed malicious code in official-looking software updates they could potentially take control of millions of machines. This is on the same level as a Microsoft security breach,” he added.

According to independent pentester and password expert, Robin Wood, the word ‘encryption’ which Adobe refers to in all probability means ‘hashing’ as the two have come to be used interchangeably. Speaking to InfoSecurity he argued that if the stolen information was hashed then the repercussions for the company and its customers could be far-reaching, as hashes are more likely to be cracked:

“If [they] were hashes then it depends what algorithm they used and whether they used salts or not,” explained Wood. “Bcrypt should be OK but unsalted md5 would be easily crackable.”

“MD5 is broken. SHA1 is widely regarded as broken. The problem with most hashing algorithms is that they are designed for speed which makes them vulnerable to brute-forcing.”

However he believes if Bcrypt was used, it upsets the traditional brute force model by adding extra time and cost so that “an attacker can no longer calculate millions of hashes per second.”

Although Adobe said that it did not believe the attackers removed decrypted credit or debit card numbers from our systems, Wood believes that Adobe is probably referring to clear text versions of the card numbers, saying “they should be stored encrypted but at some point have to be decrypted to be used so that would be the ideal place to grab them.”

The implication is that this was not a simple hack and grab situation, where the hackers break in, steal the password database, and leave. Security experts believe the hackers had a longer-standing presence within Adobe’s system, and were able to wait and watch and potentially steal the details as they were being used: a point which Adobe clearly refutes. Gilhooley believes the truth probably lies somewhere between the two points of view, claiming:

“If they have unencrypted card numbers on their systems, they will be in a lot of trouble with the card brands. I suspect that they have encrypted card numbers stored, and they are currently trying to identify if their attackers have compromised the encryption keys used to protect them.”

So, were they encrypted or hashed? Well, Adobe is keeping its cards close to its chest. As things stand it is unclear how Adobe protected the card details and account passwords, nor if any Trojan was used to hijack the details. In the meantime Adobe is resetting all customer passwords and offering US customers the option of a year’s complementary credit monitoring.

If your company needs help with security reviews, penetration testing or web security solutions, please contact Krypsys on 01273 044072 or [email protected].