Adobe, known for its Reader and Acrobat software, has confirmed that the cyber attack it recently suffered impacted 38 million users - more than 10 times the 2.9 million customers it had said were affected initially.
The attack, which the company confirmed earlier this month, enabled attackers to retrieve the private information of customers, including their names, encrypted credit card and debit card numbers, expiration dates, and other data relating to customers' orders.
Further reading Adobe cyber attack: 2.9 million customers' private data stolen Security flaw puts Adobe Acrobat and Reader users at risk Adobe issues fix for zero-day Flash vulnerabilities
Adobe has now admitted that it was a far higher number of users that were affected, and that many of the logins that were taken were of active users.
"So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users," Adobe spokesperson Heather Edell told security expert Brian Krebbs.
"We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident-regardless of whether those users are active or not," she added.
Invalid or inactive Adobe IDs and IDs with invalid encrypted passwords were also obtained by attackers, Edell said, and an investigation into the figures of these accounts is ongoing.
The Adobe breach involved theft of source code for Adobe Acrobat, Reader, ColdFusion and ColdFusion builder, while other Adobe products by an unauthorized third party were also being investigated. Adobe has now admitted that hackers also stole part of the source code of popular photography editing software Photoshop.
"Our investigation to date indicates that a portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on October 3," Edell explained.
Customers were told by Adobe's chief security officer Brad Arkin earlier this month that if their ID was affected, their passwords would be reset.
It said it would notify customers whose credit or debit card information is believed to be compromised and would offer those customers one year's credit monitoring for free.
