The attack against Adobe earlier this month was larger than the company originally let on.
As the investigation started up, indications showed attackers made off earlier this month with personal, account, and encrypted financial information of nearly 3 million Adobe customers, as well as the source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products.
But the latest report by security journalist Brian Krebs shows a copy of a file containing Adobe user account that he and researcher Alex Holden discovered on the attackers’ server linked to AnonNews.org over the weekend, and was discovered to contain more than 150 million user names and corresponding hashed passwords.
Adobe said of that number only 38 million pairs belong to active users, and the company got in touch with them and immediately informed them of the theft and requested they change their passwords. Whether the attackers have misused that information is still unknown, but Adobe has reset the passwords for all Adobe IDs with valid, encrypted passwords they believe ended up involved in the incident, regardless of whether those users are active or not.
Krebs and Holden found another file linked to AnonNews.org this weekend from the attackers’ servers, but they were unable to crack the encryption. One published version of the files contained source code for Adobe’s Photoshop software.
Adobe confirmed “a portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on Oct. 3.” They have asked the site hosting the file (to which AnonNews.org linked to) to take down the files and the site administrators agreed to the request.