UPDATED 10 am ET Monday (Oct. 7) with news that Gmail was segregating some Adobe breach-notification emails as spam.
Adobe Systems, maker of Photoshop, InDesign, Premiere and other professional creative software products, said today (Oct. 3) that the personal and financial data of nearly 3 million Adobe customers, as well as the source code for Adobe products, had been stolen in a massive data breach.
"Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems," read an Adobe company blog post attributed to Chief Security Officer Brad Arkin.
"We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers," Arkin added, "including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders."
Arkin said the company was resetting passwords on affected accounts, notifying customers whose credit- or debit-card information was exposed, notifying the financial institutions handling customer accounts and working with law enforcement.
"Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available," Arkin said.
Adobe set up a page with instructions for customers on how to reset their Adobe passwords.
Apart from what Adobe recommends, customers who have ever bought software directly from the Adobe website should immediately change their passwords for the Adobe account, as well as for any account that shares that password, and also closely monitor their financial records for the next several months.
In a separate blog posting dated yesterday (Sept. 2), Arkin said that "Adobe is investigating the illegal access of source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products by an unauthorized third party."
"Based on our findings to date," Arkin said, "we are not aware of any specific increased risk to customers as a result of this incident."
Arkin thanked Brian Krebs, the independent security blogger who has been investigating professional identity thieves at his KrebsOnSecurity blog.
Krebs has revealed that a single gang used sophisticated malware to breach the networks of Dun & Bradstreet, LexisNexis and the National White Collar Crime Center, and then resold the information in underground criminal marketplaces.
Examining the gang's server contents (which were posted online by a rival group of hackers), Krebs and fellow researcher Alex Holden of Hold Security found source code for Adobe products in a 40-gigabyte trove of stolen software.
Krebs informed Adobe of the findings a week ago, and in return Adobe told Krebs the company had been conducting its own investigation since mid-September.
In June, Adobe began a multi-year process to shift its software distribution from the traditional model of boxed DVDs sold in stores to an open-ended subscription model, in which paying customers download software straight from the Adobe website. (The new subscriptions were almost immediately hacked and pirated.)
That's a noble effort to combat piracy and unauthorized re-use of Adobe products — millions of Americans have copies of Photoshop they didn't directly pay for — but it also means that Adobe aims to retain the credit-card information of almost all its customers.
Judging by today's events, that might not be such a good idea.
UPDATE: On Sunday (Oct. 6), independent information-security researcher Graham Cluley noted that an email from Adobe notifying him of the data breach had been diverted by Gmail into Cluley's spam folder.
"It's not clear quite why Gmail has mistaken this legitimate email from Adobe as spam, but clearly the Google service has misidentified it as an attempt to phish details from users," Cluley wrote on his blog.