October 30, 2013
Adobe Breach Affected 38 Million, Not 3 Million As Previously Thought
Michael Harper for redOrbit.com - Your Universe Online
Earlier this month Adobe acknowledged a security breach which left millions of customers’ names, passwords and encrypted credit and debit card information vulnerable. At the time, it was believed three million people were affected by this attack, but further digging by security researcher Brian Krebs has revealed this number is much higher. After finding a large file posted by hacking group Anonymous this weekend, Brian Krebs now says the number of people who had their information stolen from Adobe is closer to 38 million.
Adobe has now confirmed this number and says this only accounts for active users, and that millions of other IDs may have also been compromised. The attackers took more than customer information in their September attack — they also walked away with the source code to Adobe’s Acrobat and Cold Fusion products. Now, Krebs says the attackers were also able to obtain the source code to Photoshop, one of the most popular pieces of software used by millions every day.
“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users,” said Adobe spokesperson Heather Edell in a statement to KrebsOnSecurity, Brian Krebs’ security blog.
“We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident—regardless of whether those users are active or not.”
Originally it was believed the Photoshop source code was safe from this attack, but a file hosted online this weekend matches the file of the source code. Now Edell says this source code was stolen and that the company has been asking the sites hosting the code to take it down. AnonNews, the news website run by Anonymous, has been hosting this source code.
“Our investigation to date indicates that a portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on Oct. 3,” said Edell.
If in the wrong hands, the source code to any piece of software could become extremely dangerous. With this code, cybercriminals can write a specially-designed virus meant to take advantage of the software or even work in tandem with it. This means anyone using Photoshop is effectively in danger of having their computer infected with a malicious virus.
When Adobe announced the breach at the beginning of the month, they offered those customers who had their credit card information leaked free credit monitoring services. Ironically, the credit monitoring service is offered through Experian, itself a victim of a recent attack. A website called Superget.info once sold the private information of innocent people, including birthdays, social security numbers, drivers licenses, and more. A few weeks ago it was discovered the owners of this website managed to purchase this information directly from Experian.
The number of affected users has grown exponentially, but it could continue to grow even higher.
"Our investigation is still ongoing," said Edell in the statement. "We anticipate the full investigation will take some time to complete."