Earlier this month, this blog covered the reported breach of Adobe. The company announced in a blog post that a series of sophisticated attacks had been carried out on its network between September 11 and September 17, 2013. During that time, 2.9 million users potentially had their IDs, encrypted passwords and credit card information accessed by unseemly individuals.
That in and of itself is bad news for Adobe, but according to an article from the Krebs on Security blog, this incident could be much worse than originally thought. The breach could have actually reached as many as 38 million users.
According to the blog, this new information comes from a post on the hacker website AnonNews.com where a large file called "users.tar.gz" was posted. It appeared to contain more than 150 million username and password pairs taken from Adobe. It is the same as other files that had started popping up in IT security circles.
Heather Edell, a spokesperson for Adobe, released a statement saying the company had just completed contacting all active users who were affected by the breach. She also noted that there has been no unauthorized activity on any of these accounts since.
"So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users," Edell said. "We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident—regardless of whether those users are active or not."
She went on to say that the remaining 112 million accounts that are attached to the file making the rounds are invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords and test account data. However, the company is still actively investigating these accounts and is in the process of notifying inactive users of the hack.
This is a major breach of security that could have had a much worse outcome. While it may be too early to claim "all is well," it seems that a proper clean-up is in effect. This also highlights the need for software security for any system that contains customer information, whether it be a point of sale system or a database of usernames and passwords.