The numbers increase: 38 million user accounts affected by Adobe hack
Back at the start of the month, Adobe reported that the company’s network had suffered a breach and that as a result the accounts of 2.9 million customers had been compromised. Sounds bad? It's worse than first thought. And not just a bit worse; much, much worse. Upon further analysis of the figures Brian Krebs of KrebsOnSecurity puts the numbers at 38 million user accounts.
We reported the security breach at the time, and it is amazing to discover that the figure of 2.9 million affected users is in fact more than ten times as high. So how could the figures have been misread to such an extent? Apparently, many of the directories of data were password protected, making it difficult to give precise numbers at the time.
In fact it was not just user accounts that were compromised. Source code for a number of Adobe applications -- including Acrobat, Reader and Photoshop -- was also obtained. As recently as this weekend, an unencrypted file seemingly containing data from Adobe appeared on AnonNews.org; an encrypted version of the file had previously been made available but security firms were unable to crack the password.
A spokeswoman for Adobe, Heather Edell said that the investigation is ongoing and that the attackers gained access to "many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords and test account data". She went on to say:
"So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and what were at the time valid, encrypted passwords for approximately 38 million active users. We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident—regardless of whether those users are active or not.
We believe the attackers also obtained access to many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data. We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident. Our notification to inactive users is ongoing.
We currently have no indication that there has been unauthorized activity on any Adobe ID account involved in the incident."
Have you been contacted by Adobe to let you know that yours is one of the affected accounts? Share your experiences in the comments.