Remember the successful attack against Adobe’s networks made public earlier this month? Well, as it turns out, the damage is larger than initially thought.
Early results if the investigation pointed to attackers making off with personal, account, and encrypted financial information of nearly 3 million Adobe customers, as well as the source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products.
But the latest report by Brian Krebs shows that a copy of a file containing Adobe user account that he and researcher Alex Holden discovered on the attackers’ server was linked to on AnonNews.org over the weekend, and was discovered to contain more than 150 million usernames and corresponding encrypted passwords.
According to Adobe, of that number only 38 million pairs belong to active users, and they were immediately informed of the theft and urged to change their passwords. Whether the attackers have misused that information is still unknown, but Adobe has reset the passwords for all Adobe IDs with valid, encrypted passwords that they believe were involved in the incident, regardless of whether those users are active or not.
Another file that has been linked to on AnonNews.org this weekend has also been lifted by Krebs and Holden from the attackers’ servers, but they were unable to crack the encryption. This recently published version was unencrypted, and seemingly contains source code for Adobe’s popular Photoshop software.
Adobe has confirmed that “a portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on Oct. 3.” They have asked the site hosting the file (to which AnonNews.org linked to) to take down the files and the site admins have complied.