updated 05:38 pm EST, Mon November 25, 2013
Up to 138 million Adobe CC accounts violated by data breach
Adobe has admitted that it is taking significantly longer than it expected to email all of the customers affected by the epic-scale security breach, with some victims still not being contacted more than 10 weeks after the data theft. Despite discovering the attack on September 17, Adobe did not go public with the information until October 3, with the company still having not informed all affected customers two full months after the breach.
"Email notifications are taking longer than we anticipated," said Adobe spokeswoman Heather Edell. Edell claims that 2.9 million customers with lost financial information have been notified, but declined to number what percentage of the over 30 million have been informed to date.
Circulating on the Internet is a file containing information on 125 million Adobe ID accounts stolen in the attack, along with encrypted passwords, and password hints. Several security firms have evaluated the file and determined it to be genuine. Adobe claims that at least 25 million records have invalid email addresses, with a "large percentage" being fictitious, and configured for one-time use.
The user data taken was described as "many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords and test account data" by Edell. The company is continuing its investigation to determine which service users are affected. Edell claims that the company wasn't aware of unauthorized use of Adobe accounts as a direct result of the attack. "Our investigation is still ongoing," she said. "We anticipate the full investigation will take some time to complete."
The company is also notifying all banks that process customer payments for Adobe of the breach to help protect customer accounts. Federal law enforcement agencies have also been contacted, and Adobe says it is assisting in their investigations. While saying that "cyber attacks are one of the unfortunate realities of doing business today," Adobe Chief Security Officer Brad Arkin said the company "deeply regrets" that the incident occurred, and that "we will work aggressively to prevent these types of events from occurring in the future."