Earlier this month, Adobe revealed that hackers broke into its computer systems and walked away with stolen user names, passwords and credit cards.
It said 2.9 million customers were affected, in a story broken by security blogger Brian Krebs.
On Tuesday, Adobe also admitted that many more of Adobe’s customers were involved: At least 38 million. In addition to the 2.9 million, hackers obtained millions of passwords, too.
“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users,” an Adobe spokesperson told Business Insider.
And that might not even the end of it. Because Krebs says that he found evidence that hackers could really have access to 150 million user names and passwords. Over the weekend, someone posted a 3.8 GB file to a site used by the hacker group Anonymous that Krebs says looks just like a file he found in September.
In September, he and security professional Alex Holden, of Hold Security, discovered a huge file stashed on a server known to be used by criminal hackers. The file apparently contained a big portion of Adobe’s software.
Krebs told Adobe about it and Adobe admitted that someone had also broken into the part of its networks that held user names and credit cards, with 2.9 million customers affected.
Adobe says it has been emailing customers about the breach.
One bit of good news: It doesn’t look like hackers got credit card info on all 38 million Adobe customers.
Still, if you use Adobe software, you might want to change your password.
Here is the full statement Adobe sent us:
“As we have been going through the process of notifying customers whose Adobe IDs and passwords we believe to be involved, we have been eliminating invalid records. Any number communicated in the meantime would have been inaccurate. So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and what were at the time valid, encrypted passwords for approximately 38 million active users.
We have completed email notification of these users. We believe the attackers also obtained access to many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data. We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident. Our notification to inactive users is ongoing. We currently have no indication that there has been unauthorised activity on any Adobe ID account involved in the incident.”