The hack attack that Adobe announced early in October is actually considerably worse than originally thought. What was once believed to affect some three million customers' credit card data is now thought to have exposed the encrypted passwords of more than ten times as many customers.
Adobe now has revised the number of customers affected by its data breach from 2.9 million to "at least 38 million users," according to Krebs on Security, the cybersecurity research firm and blog that helped Adobe originally discover the massive security exposure.
The difference between the two figures is the kind of data exposed. The figures on the breach, which was first reported on Oct. 3, included 2.9 million customers' encrypted credit card data, as well as a source code "trove" on an unauthorized server that left open the possibility of the data of millions more Adobe customers being exposed.
That figure was pinned down at approximately 38 million active users. The data for those users included encrypted paswords and Adobe IDs. These data were found on a hacker website called AnonNews.org, and found in a 3.8GB file called "users.tar.gz," believed to be the same source code trove found earlier in Oct.
In addition to millions of active Adobe users' passwords and IDs, test accounts, invalid and inactive Adobe IDs and passwords were found in the file. Another file posted on AnonNews.org included what is believed to be the source code for Adobe Photoshop. Other Adobe products like Adobe Reader, Acrobat and ColdFusion had their source codes exposed by the hack attack as well, though these were previously known about.
In a statement to CNET, Adobe confirmed the original breach but stressed that the credit or debit card information stolen were not decrypted:
"Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems."
In an effort to control the damage produced by one of the largest hacks in the past decade, Adobe has already taken steps to reset customer passwords for those affected by the breach. In addition, Adobe has offered customers whose encrypted card information may have been stolen a free one-year membership to a credit monitoring program.
For those who have not been offered a complimentary year of credit monitoring from Adobe, Krebs On Security mentioned that concerned Adobe customers (or anyone) can choose to place a fraud alert on their credit files for free, which requires potential creditors to get their approval before granting a new line of credit. They can also place a $10 security freeze on their credit files, blocking creditors from accessing credit information until its lifted.