The huge security breach at software maker Adobe is even bigger than first reported, with more than 150 million credentials stolen, including records on up to 38 million active customers, according to a report by Brian Krebs at the web site Krebsonsecurity.com.
Krebs said in a story posted Tuesday that Adobe’s initial estimates that user names and passwords for around three million customers was well short of the actual number taken by hackers who breached the company’s network. Citing a file posted by the website Anonnews.org, Krebs said the actual number of affected Adobe accounts stolen is much larger: 150 million username and hashed password pairs including credentials for 38 million “active” accounts, according to Adobe spokesperson Heather Edell.
Edell told Krebs that Adobe has just completed a campaign to contact active users whose user IDs and encrypted passwords were stolen (including this author). Those customers are being encouraged to change their passwords.
The disclosure is more bad news for Adobe since admitting to the compromise in early October. The company learned of the hack after an investigation by Krebs and Hold Security turned up evidence of a massive breach: a massive, 40-gigabyte trove of data that included customer information and source code for many of the company’s products, including Adobe Acrobat, Cold Fusion, Publisher and other products. Among the data posted on Anonnews.org was snippets of code that appear to be from Adobe’s popular Photoshop image editing software. Asked about that, Adobe confirmed to Krebs that source code repositories for Photoshop, also, may have been breached in the attack.
At the time, Krebs and Hold Security said their research of the data trove, which was stored on a partially protected server, suggested tens of millions of accounts were affected. But the researchers had only limited access to the contents of the hackers server, and Adobe refused to “speculate” on the actual number of hacked accounts. The file, which was posted in a forum on Anonnews.org on October 24 provided a view of the full trove of stolen customer credentials – 153 million usernames and hashed passwords in all. The post was accompanied by the message “153kk clients adobe inc … mail hash secret….Lulzsec forever.”
Many of those are what Adobe terms “inactive IDs,” according to Edell said, that includes accounts with invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data. The company is still investigating to determine just what share of the 150 million fall into one of those categories, however. But the company is notifying all those affected, regardless of whether their account was active or inactive, Edell told Krebsonsecurity.
As with past breaches, the trove of user names and passwords holds incredible value for hackers, even if the credentials cannot be used to log into Adobe’s web site. The common practice of reusing email addresses and passwords across sites makes it likely that the same credentials will provide access to other sites, including e-commerce, online banking and corporate networks.