Brian Krebs’ investigation into the botnet which was being employed to steal background check data (see previous summary) has taken a darker turn as of late. Apparently, he has found the source code for a number of Adobe products on the hacker’s servers, leading to the conclusion that Adobe’s source code repository, and their records of (avowedly encrypted) customer credit cards has been accessed by the hacking crew.

Access to the source code could help the hackers in developing vulnerabilities for use against acrobat and photoshop users, among other program families. The credit card data breach is also of severe concern. The data may be encrypted, however, the first two quartets of a credit card number are vendor specific and limited to a small set, possibly enabling a known plaintext attack. This of course assumes that the hacker’s penetration did not extend to the encryption keys used by Adobe. However, given that the attackers were able to bypass Adobe’s two-factor access control to acquire their source code, I would say that we should not rule out anything as impossible just yet.

Dan Gifford – MCySec Media Manager