KrebsOnSecurity’s Brian Krebs (who actually tipped off Adobe to the apparent hack several weeks after it had occurred) reports that the pool of affected Adobe users is actually at least 38 million people, a group 13 times larger than previously announced.
Over the weekend, someone posted a 3.8 GB file online that Krebs says looks identical to the stash of stolen Adobe info he stumbled upon back in September. It includes more than 150 million username and hashed password pairs.
In spite of the size of the hack, Adobe says it knows of no Adobe users whose accounts have been accessed using the stolen info.
“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users,” says a company rep. “We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident—regardless of whether those users are active or not.”
The pool of affected Adobe users could grow as the company investigates further. It says that many of the IDs and encrypted passwords accessed during the hack were no longer valid. Regardless, Adobe says it is still trying to track down and notify those inactive customers.
In addition to the stolen user data, the hackers were able to access source code for Adobe software. Krebs was unable to crack the password on that source code file when he found the data stash, but the file uploaded over the weekend was not password-protected. It appears to be the source code for Adobe’s incredibly popular Photoshop image-editing software.
“Our investigation to date indicates that a portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on Oct. 3,” admits the company rep.