Adobe has admitted that almost three million customers credit card details have been compromised in a cyber-attack which also saw source code for its software products stolen.
In a statement the company said it believed hackers have stolen a database of an unknown number of customer IDs and their encrypted passwords, along with "certain information" relating to 2.9 million customers, including their names, encrypted credit or debit card numbers, expiration dates of these cards, and other information relating to customer services.
In an attempt to reassure customers, the company behind Photoshop and InDesign said it does not believe the attackers removed decrypted credit or debit card numbers from its systems, adding: "We deeply regret that this incident occurred. We're working diligently internally, as well as with external partners and law enforcement, to address the incident."
Elaborating on its actions, Adobe said as a precaution it is resetting relevant customer passwords to help protect unauthorised access to their Adobe accounts. Any customers affected by the attack will receive an email from Adobe notifying them of the incident and explaining how to create a new password. The company also suggests affected users change their passwords on any sites where they may have used the same user ID or password.
Similarly, Adobe is working to notify users whose credit or debit card details were stolen, contacting them with information on how to stop potential misuse of this information.
As compensation, the company is offering a year of free credit-monitoring membership for any affected customers who want it.
Banks who process customer payments for Adobe have been notified to help protect customers whose financial information has been stolen.
"Source code trove"
The company is also investigating the theft of source code relating to numerous Adobe products, but adds that "based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident."
Affected products include Acrobat, ColdFusion, ColdFusion Builder, along with what appears to be as-yet unreleased Acrobat components.
The source code hack was first discovered by renowned computer security expert Brian Krebs, working with fellow researcher Alex Holden of Hold Security LLC, who discovered what Krebs describes as "a massive 40GB source code trove."
Krebs says he discovered the source code on a server which was used by the same cyber-criminals who hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll.
Credit card transactions
In an interview with Krebs, Adobe confirmed it believes hackers accessed a source code repository "sometime in mid-August 2013," after breaking into a portion of Adobe's network that handles credit card transactions for customers.
Adobe's chief security officer Brad Arkin told Krebs shortly before the company made the findings public: "We're still at the brainstorming phase to come up with ways to provide higher level of assurance for the integrity of our products, and that's going to be a key part of our response.
"We are looking at malware analysis and exploring the different digital assets we have. Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched."