BOSTON Oct 29 Adobe Systems Inc said
on Tuesday that the scope of a cyber-security breach disclosed
nearly a month ago was far bigger than initially reported, with
attackers obtaining data on more than 38 million customer
The software maker also said that hackers had stolen part of
the source code to Photoshop editing software that is widely
used by professional photographers.
The company disclosed the breach on Oct. 3, saying attackers
took credit card information and other data from nearly 3
million customers' accounts.
Adobe also said that the hackers accessed an undisclosed
number of Adobe IDs and encrypted passwords that were stored in
a separate database. On Tuesday, it revealed that about 38
million records from that database were stolen.
On Oct. 3, the company also reported that the attackers
stole source code to three other products: Acrobat, ColdFusion
and ColdFusion Builder.
Adobe spokeswoman Heather Edell said the software maker
believes the attackers also obtained access to "many invalid
Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted
passwords and test account data."
She said the company is still investigating to determine how
much invalid account information was breached and is in the
process of notifying affected users.
Even though the company believes the stolen passwords were
encrypted, the attackers may have been able to access them in
plain text by one of several methods, including breaking the
algorithm that Adobe used to scramble them, said Marcus Carey, a
security researcher and expert on cyber attacks, who formerly
worked as an investigator with the National Security Agency.
They could likely use those passwords to break into other
accounts because many people use the same passwords for multiple
accounts, he said.
"This is a treasure trove for future attacks," Carey said.
Adobe spokeswoman Heather Edell said that the company was
not aware of any unauthorized activity on Adobe accounts as a
result of the attack.
Yet Edell said she could not say whether stolen credit cards
or passwords had been used to launch follow-on attacks against
Adobe customers or conduct other types of cyber crimes.
"Our investigation is still ongoing," she said. "We
anticipate the full investigation will take some time to