Krebs, a former Washington Post security reporter turned independent cybersecurity journalist, says Adobe encrypts credit card information; so a password change will likely be the extent of the effect on 2.9 million people whose customer accounts were accessed. The larger issue is that the hackers were able to access Adobe’s closed source code, which could mean more attacks are on their way.
“If you give somebody the blueprints to the Death Star, it is a lot easier to infiltrate,” he says.
The Death Star in this case is the Adobe software ecosystem, which runs closed-source code that isn’t available to the public. One reason companies use closed-source code is for security: if people can’t see the code, they don’t know how to break it. That is unless, as in this case, the code is illegally accessed. Though Adobe is now aware of a few vulnerabilities in its software, the hackers that had access to the source code could be on the prowl for other weak spots.
This could mean more widespread attacks on Adobe products, which cover everything from opening PDFs through Adobe Reader to designing web apps through Adobe ColdFusion. So what is the hackers' motivation? Krebs says it could range from gaining deeper access for more targeted attacks, as hackers better understand the framework of Adobe security, or even to sell source-code secrets. An Adobe source code vulnerability could go for “tens of thousands” of dollars, he estimates. And this is only the tip of the iceberg.
"It wasn’t just some opportunistic [hacker]," he says about the attacks. "They’ve been very methodical about the targets."
He points out that the hackers behind the attack were also behind recent data breaches at LexisNexis (which holds a huge database of legal and public records), Dun & Bradstreet (a data aggregator), and Kroll Background America Inc. (which gathers information on employment, drug, and health screening). Their motivation, he explains in a previous blog post, for those attacks was likely to gain information on knowledge-based authentication, which could then be used to apply for credit or transfer money. So if a banker asks a hacker for a social security number or employment history, they would be able to answer using information gleaned from these companies’ servers.