Adobe data breach more extensive than previously disclosed


By Jim Finkle

BOSTON, Oct 29 (Reuters) - Adobe Systems Inc saidon Tuesday that the scope of a cyber-security breach disclosednearly a month ago was far bigger than initially reported, withattackers obtaining data on more than 38 million customeraccounts.

The software maker also said that hackers had stolen part ofthe source code to Photoshop editing software that is widelyused by professional photographers.

The company disclosed the breach on Oct. 3, saying attackerstook credit card information and other data from nearly 3million customers' accounts.

Adobe also said that the hackers accessed an undisclosednumber of Adobe IDs and encrypted passwords that were stored ina separate database. On Tuesday, it revealed that about 38million records from that database were stolen.

On Oct. 3, the company also reported that the attackersstole source code to three other products: Acrobat, ColdFusionand ColdFusion Builder.

Adobe spokeswoman Heather Edell said the software makerbelieves the attackers also obtained access to "many invalidAdobe IDs, inactive Adobe IDs, Adobe IDs with invalid encryptedpasswords and test account data."

She said the company is still investigating to determine howmuch invalid account information was breached and is in theprocess of notifying affected users.

Even though the company believes the stolen passwords wereencrypted, the attackers may have been able to access them inplain text by one of several methods, including breaking thealgorithm that Adobe used to scramble them, said Marcus Carey, asecurity researcher and expert on cyber attacks, who formerlyworked as an investigator with the National Security Agency.

They could likely use those passwords to break into otheraccounts because many people use the same passwords for multipleaccounts, he said.

"This is a treasure trove for future attacks," Carey said.

Adobe spokeswoman Heather Edell said that the company wasnot aware of any unauthorized activity on Adobe accounts as aresult of the attack.

Yet Edell said she could not say whether stolen credit cardsor passwords had been used to launch follow-on attacks againstAdobe customers or conduct other types of cyber crimes.

"Our investigation is still ongoing," she said. "Weanticipate the full investigation will take some time tocomplete."

View Comments (0)