Brian Krebs has updated his investigation into the Adobe hack that was originally reported to have affected 2.9 million customers.
In a post on KrebsonSecurity.com today, Brian writes that at least 38 million are affected.
But just this past weekend, AnonNews.org posted a huge file called “users.tar.gz” that appears to include more than 150 million username and hashed password pairs taken from Adobe. The 3.8 GB file looks to be the same one Hold Security CTO Alex Holden and I found on the server with the other data stolen from Adobe.
Adobe spokesperson Heather Edell said the company has just completed a campaign to contact all existing users whose login and encrypted password information was stolen, urging those users to reset their passwords. She said Adobe has no indication that there has been any unauthorized activity on any Adobe ID involved in the incident.
In a statement to Krebs, Adobe writes:
“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users,” Edell said [emphasis added]. “We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident—regardless of whether those users are active or not.”
Read more on KrebsonSecurity.com.