Adobe's chief security officer (CSO) Brad Arkin has posted a blog on the company’s website apologising for a major security breach in which hackers accessed customer’s credit and debit card data.
The company is offering US customers whose credit card details were stolen a year’s free membership to a credit-monitoring service. It is not clear whether the scheme will be extended to UK customers.
Adobe said it had notified banks to watch out for fraudulent transactions.
In the post, Adobe CSO Brad Arkin wrote: “Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. We believe these attacks may be related.”
Arkin said Adobe’s own investigation found attackers accessed Adobe customer IDs and encrypted passwords on our systems. He said attackers removed information relating to 2.9 million Adobe customers. The data included customer names, encrypted credit or debit card numbers, expiry dates and other information relating to customer orders.
“At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred,” said Arkin.
As a precaution, Adobe has reset customer passwords to prevent unauthorised access to Adobe ID accounts.
“If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. We also recommend that you change your passwords on any website where you may have used the same user ID and password,” said Arkin.
It is also believed Adobe source code may have been stolen.
The theft is an embarrassment for the company, which has been heavily promoting its Creative Cloud subscription services – now the only way to buy Adobe products.
Last year Adobe's servers were attacked due to a misconfiguration. In response to that attack, Arkin made major changes to internal security.