Adobe hack attack affected 38 million accounts

The recent security breach that hit Adobe exposed customer IDs, passwords, and credit and debit card information.

Lance Whitney Contributing Writer

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.

See full bio

Lance Whitney

Oct. 29, 2013 5:32 a.m. PT

2 min read

A cyberattack launched against Adobe affected more than 10 times the number of users initially estimated.

On October 3, Adobe revealed that it had been the victim of an attack that exposed Adobe customer IDs and encrypted passwords. At the time, the company said that hackers gained access to encrypted credit card records and login information for around 3 million users. But the number of affected accounts has turned out to be much higher.

The attack actually involved 38 million active accounts.

"So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users," Adobe spokeswoman Heather Edell told CNET. "We have completed e-mail notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident -- regardless of whether those users are active or not."

Adobe hasn't received indications of unauthorized activity on any Adobe account affected in the breach, according to Edell.

The attack also gained access to many invalid or inactive Adobe accounts -- those with invalid encrypted passwords and those used as test accounts.

"We are still in the process of investigating the number of inactive, invalid, and test accounts involved in the incident," Edell added. "Our notification to inactive users is ongoing."

Following the initial report of the attack, Adobe reset the passwords on compromised customer accounts and sent e-mails to those whose accounts were breached and whose credit card or debit card information was exposed. At the time, Adobe had also issued the following statement:

Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems.

Adobe has posted a customer security alert page with more information on the breach and an option whereby users can change their passwords.

Update, 10:37 a.m. PT: Added comment from Adobe.

(Via Krebs on Security)