Cyber attacks are one of the unfortunate realities of doing business today. Given the profile and widespread use of many of our products, Adobe has attracted increasing attention from cyber attackers. Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. We believe these attacks may be related.
Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident. We’re taking the following steps:
- As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. We also recommend that you change your passwords on any website where you may have used the same user ID and password.
- We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.
- We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.
- We have contacted federal law enforcement and are assisting in their investigation.
We are also investigating the illegal access to source code of numerous Adobe products. Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident. For more information, please see the blog post here.
We value the trust of our customers. We will work aggressively to prevent these types of events from occurring in the future. Again, we deeply regret any inconvenience this may cause you. If you would like additional information, please refer to Adobe’s Customer Support page.
Chief Security Officer
At the Black Hat USA 2010 security conference currently underway in Las Vegas, Microsoft today announced that it will extend its Microsoft Active Protections Program (MAPP) to include vulnerability information sharing from Adobe starting this fall.
This opportunity for Adobe to leverage MAPP is exciting news and another important step in our commitment to protecting our customers. In addition to the proactive security measures we continue to build into our products and initiatives to help ensure customers stay current with the latest security updates, we are excited to collaborate with Microsoft to further accelerate industry protection of our users. By sharing Adobe vulnerability information with MAPP members prior to the public release of a security update, we give security providers an early start over exploit code writers, enabling them to offer protection to our mutual customers in a timely manner.
Given the increasing criminal activity in the threat landscape, it is critical that software vendors and the security community at large partner and work together in helping defend against those with malicious intent. MAPP is a great example of a tried and proven model giving an upper hand to a network of global defenders who all rally behind a shared purpose – protecting our mutual customers.
For more information on this announcement, see today’s Adobe Secure Software Engineering Team (ASSET) blog post by Brad Arkin, senior director of product security and privacy at Adobe. For details on the Microsoft Active Protections Program (MAPP), including participating partners, visit Microsoft’s website.
Adobe Reader has a ubiquity and cross-platform reach that few software products can match. This same ubiquity and reach has attracted increasing attention from attackers looking to target the largest possible number of users for maximum gain. Over the last year, Adobe has publicly discussed a number of product security initiatives around Adobe Reader – starting with the May 2009 blog post by Brad Arkin, Adobe’s senior director of product security and privacy, about a major security initiative underway for both Adobe Reader and Acrobat.
Today, Adobe is announcing the next major step in our Adobe Reader product security initiative – the development of Adobe Reader Protected Mode (in the technical community referred to as “sandboxing”). For additional details on this announcement, see today’s Adobe Security Software Engineering Team (ASSET) blog post by Brad Arkin.
This is exciting news and demonstrates our commitment to help protect our users in the face of a constantly evolving threat landscape. Adobe products are relied on by individuals and organizations worldwide, and the security of our products and customers will always be a key priority for us.
Media coverage this week has suggested that Adobe software may have been a vector used in the recent attacks against Adobe and other companies. We are continuing our investigation into the incident, but to date, none of the work done by Adobe or any third party has uncovered evidence to indicate that Adobe technology was an attack vector. In fact, McAfee just posted an entry on the incident to their Security Insights Blog reinforcing this point.
This incident demonstrates the increased sophistication in today’s malware design and attack strategies. It also serves as a reminder of the importance of multiple layers of security and the need to follow security best practices as the best possible defense against those with malicious intent.
See also Adobe Secure Software Engineering Team (ASSET) Blog
Check out the details of this newly announced global strategic partnership that will ensure better security and protection for enterprises and consumers worldwide: http://blogs.adobe.com/security/2009/09/mcafee_and_adobe_team_on_autom.html#more