KrebsOnSecurity reported today that the massive security breach at Adobe encompasses the passwords of 38 million users, as well as source code for the company’s Photoshop products, Acrobat and ColdFusion. Adobe had originally said that 2.9 million users had their encrypted credit or debit card numbers stolen, but had not disclosed how many users had their usernames and encrypted passwords taken.
AnonNews.org reportedly released a file over the weekend that contained usernames and hashed passwords. According to Krebs, it appears to be the same file which was found on a server that also contained stolen Adobe source code.
Adobe spokesperson Heather Edell told KrebsOnSecurity that Adobe has reached out to all of the active users affected by the breach. But, according to the company’s analysis, attackers also managed to get usernames and password data for inactive accounts as well.
“We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident,” Edell said. “Our notification to inactive users is ongoing.”
For those people who had their financial data stolen in addition to their password, Adobe is offering free credit monitoring from Experian for a year. Ironically, Experian is also caught in a security scandal of its own.
[This story has been updated to clarify details of Adobe’s initial disclosure.]
Previously on GeekWire: Adobe hack steals 2.9M accounts, plus source code