A cyberattack launched against Adobe affected more than 10 times the number of users initially estimated.
On October 3, Adobe revealed that it had been the victim of an attack that exposed Adobe customer IDs and encrypted passwords. At the time, the company said that hackers gained access to encrypted credit card records and login information for around 3 million users. But the number of affected accounts has turned out to be much higher.
The attack actually involved 38 million active accounts.
"So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users," Adobe spokeswoman Heather Edell told CNET. "We have completed e-mail notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident -- regardless of whether those users are active or not."
Adobe hasn't received indications of unauthorized activity on any Adobe account affected in the breach, according to Edell.
The attack also gained access to many invalid or inactive Adobe accounts -- those with invalid encrypted passwords and those used as test accounts.
"We are still in the process of investigating the number of inactive, invalid, and test accounts involved in the incident," Edell added. "Our notification to inactive users is ongoing."
Following the initial report of the attack, Adobe reset the passwords on compromised customer accounts and sent e-mails to those whose accounts were breached and whose credit card or debit card information was exposed. At the time, Adobe had also issued the following statement:
Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems..
Adobe has posted a customer security alert page with more information on the breach and an option whereby users can change their passwords.
Update, 10:37 a.m. PT: Added comment from Adobe.
(Via Krebs on Security)