The massive trove of stolen data that hackers pulled from Adobe servers in early October may have effected as many as 38 million users, according to new reports.
The hackers stole nearly 3 million encrypted customer credit card records, as well as login data for Adobe user accounts. Recent disclosures by Brian Krebs of Krebs on Security suggest that more than 150 million usernames and encrypted passwords appear to have been stolen, including the details of at least 38 million active accounts.
At the time, the data breach caused Bala Venkat, chief marketing officer at Cenzic, to say that "Adobe has lost their 'crown jewels'." Now it looks like the breach was even worse than previously thought.
Adobe spokesperson Heather Edell said "So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users."
She went on to say that Adobe has "completed email notification of these users." As a precaution, Adobe has also reset the passwords for all Adobe IDs believed to be involved in the incident — regardless of whether those users were active or not.
The source codes for Adobe's Acrobat Reader, as well as its ColdFusion Web application platform were stolen in the attack, raising concerns that the source code could be used to design more effective malware targeting those applications. Now, it also appears that the source code of Adobe Photoshop was also stolen in the breach.
"Our investigation to date indicates that a portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on Oct. 3," Edell wrote.
By way of apology, Adobe is offering a year's worth of credit monitoring by Experian to customers whose encrypted credit card data was stolen in the breach.
Security researcher Craig Young was sceptical about this when approached by ITPP.
"The fact that 38 million active users were affected is the product of Adobe's very large customer base combined with a lack of either proactive or reactive security measures," he told us.
"Adobe is attempting to mitigate the risk to their reputation and public image by offering the standard, 'Sorry your account got hacked - here's a free year of credit monitoring,' response."
The true scale of the breach is still emerging, and it's likely more details will come out in the near future.
Image: Flickr (Frank Kehren)