Adobe security breach actually affected closer to 38 million users

Summary:UPDATE: Attackers are believed to have obtained access to invalid as well as inactive Adobe IDs along with test account data.


That hack attack on Adobe's user base has turned out to be a lot more serious than originally revealed.

According to Krebs on Security on Tuesday morning, the security breach is said to have impacted personal and sensitive user data tied to approximately 38 million accounts.

The original estimated figure was around 2.9 million when first admitted by Adobe representatives on October 3.

Brad Arkin, senior director of security for Adobe products and services, explained in a blog post at the time that the attack concerns both customer information and illegal access to source codes for "numerous Adobe products."

A few examples include Adobe Acrobat, ColdFusion, and the ColdFusion Builder.

The culprits were able to obtain access to a large swath of Adobe customer IDs, names, encrypted passwords, encrypted credit/debit card numbers, expiration dates, and more.

But Arkin had noted investigators don't "believe the attackers removed decrypted credit or debit card numbers" from Adobe's systems.

We reached out to Adobe PR for comment and will update this post when we hear back.

UPDATE: Adobe responded, confirming that the investigation has revaled that the original attackers obtained access to Adobe IDs and then-valid encrypted passwords for approximately 38 million active users.

Adobe spokesperson Heather Edell said that Adobe has notified all of this users via email as well as reset passwords for all Adobe IDs with valid, encrypted passwords that were believed to have been affected by the attack -- even if the users weren't actively using Adobe's software and services.

"We currently have no indication that there has been unauthorized activity on any Adobe ID account involved in the incident," Edell noted, specifying that the attackers are also believed to have obtained access to many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data.

The investigation as well as notification to users is ongoing.

Topics: Security, Cloud, Enterprise Software, Privacy, Software


Rachel King is a staff writer for CBS Interactive based in San Francisco, covering business and enterprise technology for ZDNet, CNET and SmartPlanet. She has previously worked for The Business Insider,, CNN's San Francisco bureau and the U.S. Department of State. Rachel has also written for, Irish Americ... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.