Adobe code theft raises its ugly head in PR Newswire breach

The folks behind the Adobe source code theft uncovered a few weeks ago — or a customer of theirs — breached the PR Newswire press release service in March and used some of that Adobe code to do so, according to security expert Brian Krebs of Krebs on Security. 

The fact that a company or companies have been hit is no surprise, security analysts said that was bound to happen. But now we know at least one of the targets.

The hackers made off with PR Newswire usernames and passwords. Per the Krebs blog post outlining the situation:

The stolen data was found on the same Internet servers that housed huge troves of source code recently stolen from Adobe Systems. Inc., suggesting the same attackers may have been responsible for both breaches. Date and time stamps on the stolen files indicate that breach at PR Newswire occurred on or after March 8, 2013.

The post noted an incident earlier this week in which Cision, another press release service, was apparently hacked and a fake press release distributed, but said there was no proof that was connected with the PR Newswire incident.

PR Newswire confirmed to Krebs that the data was theirs and said it was alerting its customers. I’ve reached out to service for comment and will update this story when one is forthcoming.

Update: A spokeswoman for PR Newswire, responding by email, said there is no evidence the Cision incident is linked to what happened with PR Newswire. She added:

“PR Newswire has protocols and redundancies in place that are designed to minimize the risk of distributing fraudulent press releases, including both technological and human safeguards prior to issuing any release.”

She added that the affected database contains approximately 10,000 records but only a “minority” of them are from active users. “Those users represent an even smaller number of customers, as each customer generally has multiple usernames. PR Newswire decided to implemented a mandatory password reset for all customers with accounts on this database as a precautionary measure,” she said.

Krebs, working with Hold Security, discovered the Adobe breach that impacted Acrobat, Acrobat Reader and ColdFusion products. The fact that full source code was stolen was of particular concern because that gives bad guys the keys to the kingdom to find and exploit vulnerabilities in popular software products before the world catches on.

While there is not, as yet, known abuse of the PR Newswire data, that’s not all that reassuring. As Hold Security posted on its website, considering that the service sends out major market-moving announcements, malicious actors could use fake releases to manipulate the stock market to their advantage.

In a chilling update Thursday to the original post, Hold Security reported that it had confirmed that the press release service was not a random target.

There is evidence, dated February 13, 2013, of a large-scale attack targeting PR Newswire’s multiple networks hitting over 2,000 IP addresses using ColdFusion exploits. The attack was sourced from a different server also used by the same group of hackers. If this attack resulted in a breach, it is possible that the hackers had access to PR Newswire infrastructure longer than previously thought.

Well, we knew it was going to be bad. Now we’re starting to see how bad it might get.

Note: This story was updated at 12:16 p.m. PDT with PR Newswire comment.