The Adobe security breach that took place at the start of this month was bigger than first thought — much bigger.
While the U.S. software giant originally said 2.9 million accounts had been compromised, it emerged this week that it now believes around 38 million accounts were affected.
Adobe said at the time of the breach it was likely that data including customer names, encrypted credit and debit card numbers, expiration dates, and other information relating to customer orders had been obtained by hackers.
It also revealed that a number of Adobe IDs and encrypted passwords from a different database had also been accessed. This week the company said that it was from this database that around 38 million records had been taken.
And the hackers didn’t stop there. According to the software company, they also got their hands on part of the source code for its big-selling image-editing software, Photoshop. When news of the security breach broke earlier this month, Adobe said source code for a number of its other products, including Adobe Acrobat, ColdFusion, ColdFusion Builder, had also been stolen.
Commenting on why the company has taken so long to communicate the full extent of the hack, an Adobe spokeswoman said, “In our [original] public disclosure, we communicated the information we could validate.”
She explained, “As we have been going through the process of notifying customers whose Adobe IDs and passwords we believe to be involved, we have been eliminating invalid records. Any number communicated in the meantime would have been inaccurate.”
Adobe has since reset passwords on accounts it believes have been affected by the attack and has been sending out emails to these customers explaining how they can change their password to one of their choosing.
The company also strongly advised users to change their passwords on any other website where they may have used the same user ID and password as their Adobe account.
Writing about the incident at the beginning of October, Adobe chief security officer Brad Arkin said “cyberattacks are one of the unfortunate realities of doing business today. Given the profile and widespread use of many of our products, Adobe has attracted increasing attention from cyberattackers.”
The spokeswoman said that so far there’s no evidence of suspicious activity on user accounts affected by the security breach, adding that the investigation is ongoing.