By Joseph Menn
BOSTON (Reuters) - Adobe Systems Inc said on Thursday that hackers had stolen source code to some of its most popular software and data about millions of its customers.
Security experts worry about the theft of source code because close review of the programs can lead to the discovery of new flaws that can be used to launch hard-to-detect attacks against all users of that software.
The hackers took source code for Adobe Acrobat, which is used to create electronic documents in the PDF format, as well as ColdFusion and ColdFusion Builder, used to create Internet applications, Adobe said.
Adobe Chief Security Officer Brad Arkin said the company had been investigating the breach since its discovery two weeks ago and that it had no evidence of any attacks based on the theft. "Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident," Arkin wrote on an Adobe blog.
Arkin said hackers also took information on 2.9 million Adobe customers, including their names, user identification numbers and encrypted passwords and payment card numbers. He said the attacks may be related.
The company said it was resetting passwords for affected customers worldwide and warning people to change any passwords reused at other sites. The U.S. Department of Homeland Security's computer incident response team on Thursday warned that Adobe customers should be on the alert for fraud.
Adobe said it was working with banks and federal law enforcement to mitigate intrusions on customer accounts and to pursue those responsible.
The company said it had been helped by cybersecurity journalist Brian Krebs and security expert Alex Holden, who found a cache of Adobe code while probing attacks at three major U.S. data providers.
Krebs wrote on his blog, KrebsonSecurity.com, on Thursday that the two men discovered the code while investigating breaches at Dun & Bradstreet Corp, Altegrity Inc's Kroll Background America Inc and Reed Elsevier's LexisNexis Inc.
He said the Adobe code was on a server that he believed was used by those who hacked into LexisNexis and the others. The hackers offered Social Security numbers, credit report information and other highly sensitive data for sale over the Internet and had access inside the companies' websites through hacked computers, Krebs said.
In a 10-Q filing on Thursday, Adobe referred to the recent attacks in one paragraph. "We do not believe that the attacks will have a material adverse impact on our business or financial results," it said. "It is possible, nevertheless, that this incident could have various adverse effects."
(Reporting by Joseph Menn and Jim Finkle; Editing by Eric Walsh and Carol Bishopric)