Adobe security breach actually affected closer to 38 million users

UPDATE: Attackers are believed to have obtained access to invalid as well as inactive Adobe IDs along with test account data.
Written by Rachel King, Contributor

That hack attack on Adobe's user base has turned out to be a lot more serious than originally revealed.

According to Krebs on Security on Tuesday morning, the security breach is said to have impacted personal and sensitive user data tied to approximately 38 million accounts.

The original estimated figure was around 2.9 million when first admitted by Adobe representatives on October 3.

Brad Arkin, senior director of security for Adobe products and services, explained in a blog post at the time that the attack concerns both customer information and illegal access to source codes for "numerous Adobe products."

A few examples include Adobe Acrobat, ColdFusion, and the ColdFusion Builder.

The culprits were able to obtain access to a large swath of Adobe customer IDs, names, encrypted passwords, encrypted credit/debit card numbers, expiration dates, and more.

But Arkin had noted investigators don't "believe the attackers removed decrypted credit or debit card numbers" from Adobe's systems.

We reached out to Adobe PR for comment and will update this post when we hear back.

UPDATE: Adobe responded, confirming that the investigation has revaled that the original attackers obtained access to Adobe IDs and then-valid encrypted passwords for approximately 38 million active users.

Adobe spokesperson Heather Edell said that Adobe has notified all of this users via email as well as reset passwords for all Adobe IDs with valid, encrypted passwords that were believed to have been affected by the attack -- even if the users weren't actively using Adobe's software and services.

"We currently have no indication that there has been unauthorized activity on any Adobe ID account involved in the incident," Edell noted, specifying that the attackers are also believed to have obtained access to many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data.

The investigation as well as notification to users is ongoing.

Editorial standards