Adobe has admitted around 38 million active users may have had IDs and encrypted passwords accessed by unknown attackers in a breach earlier this year.
Previously, it had been estimated that around three million users had data accessed, but a new report by Brian Krebs of KrebsonSecurity revealed the true scale of the breach may have been far larger than thought – and that source code for software such as Photoshop may also have leaked.
ESET Researcher Stephen Cobb described the breach as “unprecedented” at the time, due to the fact that attackers also appeared to have accessed source code for Adobe’s Acrobat software.
Krebs says, “It also appears that the already massive source code leak at Adobe is broadening to include the company’s Photoshop family of graphical design products.”
The company now admits that “numerous” products were affected by the breach.
“Our investigation to date indicates that a portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on Oct. 3,” Edell wrote. The company’s ColdFusion web application platform may also have been accessed.
ESET researcher Stephen Cobb says, “Access to the source code could be a major asset for cybercriminals looking to target computing platforms such as Windows or mobile operating systems such as Android.”
“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users,” said Adobe spokeswoman Heather Edelll.
“We have completed e-mail notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident — regardless of whether those users are active or not.”
Other leaked information also included encrypted credit or debit card numbers along with expiry dates, and “other information related to customer orders,” according to The Next Web.
Adobe has sent emails to users whose credit card details may have been leaked, according to CNET. The company has also created a page for customers potentially affected by the breach, explaining the risks, and how to change their passwords.
“Adobe’s security team recently discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products,”” the company says. “ We believe these attacks may be related. We are working diligently internally, as well as with external partners and law enforcement, to address the incident.”
Author Rob Waugh, We Live Security