Adobe CEO Shantanu Narayen

Usernames and encrypted passwords from around 38 million active Adobe users were stolen as part of a cyberattack first detailed earlier this monthreports Krebs on Security. Though Adobe originally reported that information on 2.9 million customers had been compromised, it now tells Krebs that the number is far higher and that it has been resetting the passwords and notifying the owners for all of them. The initial 2.9 million accounts also had credit card information associated with them, but Adobe says that the other accounts were part of a separate database that did not include payment information.

Source code for Photoshop, Acrobat, and more was taken too

In addition to the account details, portions of the source code for Photoshop, Acrobat, Reader, and ColdFusion were also taken, reports Krebs. Some of the source code and account information has reportedly been posted online since the data breach. The source code for Photoshop appears to be unencrypted, while the account passwords are protected by encryption. Krebs attempted to crack the encryption, but says that it was unable to.

Adobe is offering a year of credit monitoring to all customers whose credit cards were accessed in the breach (though ironically enough, it's offering that service through Experian, which Krebs reported last week had fallen victim to a data breach as well). With Adobe recently beginning a transition to subscription software, more and more of its customers will have their credit cards tied to their accounts — though it's likely that users invested in earlier software haven't made that transition yet. Even so, with Adobe only reporting the number of active accounts that were compromised, it appears the breach could be even bigger still.

Update: In a letter sent to some affected customers on October 17th, Adobe explained details of the breach, including that the attacker had decrypted some accounts' credit card numbers using Adobe's own systems. However, Adobe said that it couldn't confirm whether any of that decrypted information had actually been removed from its servers, and Krebs reports that Adobe hasn't seen any sign of unauthorized activity on compromised accounts. An excerpt from the letter is below.

Although our investigation is ongoing, we believe that the third party likely removed from our systems certain customer names, payment card expiration dates, encrypted payment card numbers, and other information relating to customer orders. In addition, the third party used our systems to decrypt some card numbers. We have not been able to confirm that any decrypted card numbers were removed as a result of this access to our systems.

Adobe has confirmed the figures with us and clarified that it still believes that only the 2.9 million customers it initially reported may have had their credit card numbers compromised. The additional accounts seem to have primarily had their encrypted passwords compromised.