Adobe breach THIRTEEN times worse than thought, 38 million users affected


Adobe logoAt the start of this month, Adobe let it slip that it had suffered a data breach.

The attackers had managed to access customers’ Adobe IDs, encrypted passwords, names, encrypted debit and credit card numbers, expiry dates and order details.

Brad Arkin, Adobe’s Chief Security Officer, wrote in a blog post at the time:

Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million [emphasis added] Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.

It looks like that number was a huge underestimation. According to Adobe spokesperson Heather Edell, the final tally is around 38 million users, all of them active:

So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users.

We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident—regardless of whether those users are active or not.

She also added that now Adobe had finished informing the affected active users, it was working on contacting inactive users.

We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident... Our notification to inactive users is ongoing.

At the time, Adobe also reported the theft of source code from some of its flagship products. Originally thought to be just Reader, Acrobat and ColdFusion, Edell confessed Adobe also appears to have had some of its Photoshop source code nabbed too:

Our investigation to date indicates that a portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on Oct. 3.

Adobe has posted a help document for affected users.

While Adobe says the passwords that were taken were encrypted, it’s not entirely foolproof and they could be cracked, so let this act as another reminder to use different passwords on EVERY SINGLE online account you have.

And make sure you choose a strong password for each too, and not just the name of your cat, dog, guinea pig or goldfish.