Data stolen from Adobe contained the usernames and passwords of 38 million users, more than ten times the software giant's estimate when the breach was originally revealed in early October.
Adobe ups stolen password estimate from 2.9 million to 38m. (Reuters)
It has also been revealed that stolen source code data includes that of Adobe's Photoshop application, as well as Acrobat, Reader and ColdFusion, according to security expert Brian Krebs, who assisted in identifying the cyber-attack.
Speaking to Krebs, Adobe spokesperson Heather Edell said the company has now contacted all affected users, urging them to reset their passwords, adding: "So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users."
When the company first admitted it had fallen victim to the cyber attack on 3 October, it was hesitant to speculate on the number of users potentially impacted.
Krebs and fellow researcher Alex Holden discovered password-protected files containing stolen Adobe data, but were unable to access them. However, earlier this week an unprotected 3.8GB file was posted on AnonNews.org which according to Krens "appears to include more than 150 million username and hashed password pairs taken from Adobe."
Photoshop source code
At the time of the attack, Krebs and Holden also unearthed a 2.56GB file called 'pha.tar.z', but they were unable to crack its password. However, this week a file of the same size and name was also posted on AnonNews without a password; its contents "appeared to be source code for Adobe Photoshop," Krebs said.
Source code for Adobe's Acrobat and Reader applications was discovered on the same server used by cyber-criminals who hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll.
Edell added: "Our investigation to date indicates that a portion of Photoshop source code was accessed by the attackers as part of the incident". Edell added that Adobe contacted the sites hosting the two files posted to AnonNews and had them taken down.
Adobe said it has no indication that there has been any unauthorised activity on any Adobe IDs involved in the data breach, and that investigations are continuing into the theft of invalid and inactive Adobe IDs, as well as test accounts.
To contact the editor, e-mail: