{ "id": "4e697d2e-8ecf-4947-b43e-2c18b8298aa8", "created_at": "2026-04-06T00:17:41.932532Z", "updated_at": "2026-04-10T03:25:23.257267Z", "deleted_at": null, "sha1_hash": "92bd5c44018bb37bb15b90dae328d1698dd2817a", "title": "Adobe To Announce Source Code, Customer Data Breach", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 95855, "plain_text": "Adobe To Announce Source Code, Customer Data Breach\r\nPublished: 2013-10-22 · Archived: 2026-04-05 16:33:35 UTC\r\nAdobe Systems Inc. is expected to announce today that hackers broke into its network and stole source code for\r\nan as-yet undetermined number of software titles, including its ColdFusion Web application platform, and\r\npossibly its Acrobat family of products. The company said hackers also accessed nearly three million customer\r\ncredit card records, and stole login data for an undetermined number of Adobe user accounts.\r\nA screen shot of purloined source code stolen from Adobe, shared with the company by KrebsOnSec\r\nKrebsOnSecurity first became aware of the source code leak roughly one week ago, when this author — working\r\nin conjunction with fellow researcher Alex Holden, CISO of Hold Security LLC — discovered a massive 40 GB\r\nsource code trove stashed on a server used by the same cyber criminals believed to have hacked into major data\r\naggregators earlier this year, including LexisNexis, Dun \u0026 Bradstreet and Kroll. The hacking team’s server\r\ncontained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and\r\nAdobe Acrobat.\r\nShortly after that discovery, KrebsOnSecurity shared several screen shots of the code repositories with Adobe.\r\nToday, Adobe responded with confirmation that it has been working on an investigation into a potentially broad-ranging breach into its networks since Sept. 17, 2013.\r\nIn an interview with this publication earlier today, Adobe confirmed that the company believes that hackers\r\naccessed a source code repository sometime in mid-August 2013, after breaking into a portion of Adobe’s network\r\nthat handled credit card transactions for customers. Adobe believes the attackers stole credit card and other data on\r\napproximately 2.9 million customers, and that the bad guys also accessed an as-yet-undetermined number of user\r\nnames and passwords that customers use to access various parts of the Adobe customer network.\r\nColdFusion source code repository found on hacker’s server.\r\nhttps://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/\r\nPage 1 of 3\n\nAdobe said the credit card numbers were encrypted and that the company does not believe decrypted credit card\r\nnumbers left its network. Nevertheless, the company said that later today it will begin the process of notifying\r\naffected customers — which include many Revel and Creative Cloud account users —  via email that they need to\r\nreset their passwords.\r\nIn an interview prior to sending out a news alert on the company’s findings, Adobe’s Chief Security Officer Brad\r\nArkin said the information shared by this publication “helped steer our investigation in a new direction.” Arkin\r\nsaid the company has undertaken a rigorous review of the ColdFusion code shipped since the code archive was\r\ncompromised, and that it is confident that the source code for ColdFusion code that shipped following the incident\r\n“maintained its integrity.”\r\n“We are in the early days of what we expect will be an extremely long and thorough response to this incident,”\r\nArkin said. The company is expected to publish an official statement this afternoon outlining the broad points of\r\nits investigation so far.\r\nArkin said Adobe is still in the process of determining what source code for other products may have been\r\naccessed by the attackers, and conceded that Adobe Acrobat may have been among the products the bad guys\r\ntouched. Indeed, one of the screen shots this publication shared with Adobe indicates that the attackers also had\r\naccess to Acrobat code, including what appears to be code for as-yet unreleased Acrobat components (see screen\r\ngrab above).\r\n“We’re still at the brainstorming phase to come up with ways to provide higher level of assurance for the integrity\r\nof our products, and that’s going to be a key part of our response,” Arkin said. He noted that the company was in\r\nthe process of looking for anomalous check-in activity on its code repositories and for other things that might\r\nseem out of place.\r\n“We are looking at malware analysis and exploring the different digital assets we have. Right now the\r\ninvestigation is really into the trail of breadcrumbs of where the bad guys touched.”\r\nThe revelations come just two days after KrebsOnSecurity published a story indicating that the same attackers\r\napparently responsible for this breach were also involved in the intrusions into the  networks of the National White\r\nCollar Crime Center (NW3C), a congressionally-funded non-profit organization that provides training,\r\ninvestigative support and research to agencies and entities involved in the prevention, investigation and\r\nprosecution of cybercrime. As noted in that story, the attackers appear to have initiated the intrusion into the\r\nNW3C using a set of attack tools that leveraged security vulnerabilities in Adobe’s ColdFusion Web application\r\nserver.\r\nWhile Adobe many months ago issued security updates to plug all of the ColdFusion vulnerabilities used by the\r\nattackers, many networks apparently run outdated versions of the software, leaving them vulnerable to\r\ncompromise. This indeed may have also been the vector that attackers used to infiltrate Adobe’s own networks;\r\nArkin said the company has not yet determined whether the servers that were breached were running ColdFusion,\r\nbut acknowledged that the attackers appear to have gotten their foot in the door through “some type of out-of-date” software.\r\nStay tuned for further updates on this rapidly-moving story.\r\nhttps://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/\r\nPage 2 of 3\n\nUpdate 4:38 p.m. ET: Adobe has released a statement about these incidents here and here. A separate customer\r\nsecurity alert for users affected by this breach is here. Also, in a hopefully unrelated announcement, Adobe says it\r\nwill be releasing critical security updates next Tuesday for Adobe Acrobat and Adobe Reader.\r\nUpdate, Oct. 5, 4:35 p.m. ET: Rakshith Naresh, a product manager at Adobe, said in a Tweet yesterday that the\r\nbreach did not involve ColdFusion vulnerabilities.\r\nUpdate, Oct. 9, 12:50 p.m. ET: Naresh’s Tweet stating that the breach didn’t involve ColdFusion servers was\r\ndeleted at some point. I followed up with Adobe via email: An Adobe spokesperson said the company’s\r\ninvestigation is still ongoing, and that “at this time we have not identified the initial attack vector to include or\r\nexclude a ColdFusion server.”\r\nSource: https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/\r\nhttps://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/" ], "report_names": [ "adobe-to-announce-source-code-customer-data-breach" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434661, "ts_updated_at": 1775791523, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/92bd5c44018bb37bb15b90dae328d1698dd2817a.pdf", "text": "https://archive.orkl.eu/92bd5c44018bb37bb15b90dae328d1698dd2817a.txt", "img": "https://archive.orkl.eu/92bd5c44018bb37bb15b90dae328d1698dd2817a.jpg" } }