Adobe security breach actually affected closer to 38 million users

Adobe security breach actually affected closer to 38 million users

Summary: UPDATE: Attackers are believed to have obtained access to invalid as well as inactive Adobe IDs along with test account data.


That hack attack on Adobe's user base has turned out to be a lot more serious than originally revealed.

According to Krebs on Security on Tuesday morning, the security breach is said to have impacted personal and sensitive user data tied to approximately 38 million accounts.

The original estimated figure was around 2.9 million when first admitted by Adobe representatives on October 3.

Brad Arkin, senior director of security for Adobe products and services, explained in a blog post at the time that the attack concerns both customer information and illegal access to source codes for "numerous Adobe products."

A few examples include Adobe Acrobat, ColdFusion, and the ColdFusion Builder.

The culprits were able to obtain access to a large swath of Adobe customer IDs, names, encrypted passwords, encrypted credit/debit card numbers, expiration dates, and more.

But Arkin had noted investigators don't "believe the attackers removed decrypted credit or debit card numbers" from Adobe's systems.

We reached out to Adobe PR for comment and will update this post when we hear back.

UPDATE: Adobe responded, confirming that the investigation has revaled that the original attackers obtained access to Adobe IDs and then-valid encrypted passwords for approximately 38 million active users.

Adobe spokesperson Heather Edell said that Adobe has notified all of this users via email as well as reset passwords for all Adobe IDs with valid, encrypted passwords that were believed to have been affected by the attack -- even if the users weren't actively using Adobe's software and services.

"We currently have no indication that there has been unauthorized activity on any Adobe ID account involved in the incident," Edell noted, specifying that the attackers are also believed to have obtained access to many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data.

The investigation as well as notification to users is ongoing.

Topics: Security, Cloud, Enterprise Software, Privacy, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Say it ain't so...

    Really? I can't believe that a fine upstanding organization like Adobe would be attacked, much less under-report damage after the fact.
  • What?

    That's the worst-written spam I've ever read. Can't you find someone in Nigeria to give you English Composition lessons?
    • Grammar that bad?

      The grammar was that bad? I didn't think so. But, did the PR rep really say 'Adobe has notified all of this users via....'? But no spell check, really? "has revaled that".
  • Adobe Cares - yeah right

    I was a subscriber - my CC# was not in Adobe's system, my product was part of a retraining paid for by WCB. BUT - I'm getting a gazillion spams - all to my adobe id - and Adobe doesn't care a lick. I'm currently seeking out non Adobe products to do what IU used to do with Creative Suite.
  • How was adobe cracked?

    Adobe was hacked because they failed to update the very same product they hounded us in emails over.