Adobe spokeswoman Heather Edell said: "So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users.
"We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident -- regardless of whether those users are active or not."
Edell said Adobe believes that the attackers also obtained access to many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data.
“We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident,” she said. “Our notification to inactive users is ongoing.”
The company disclosed the initial breach on October 3, when Brad Arkin, Adobe's chief security officer, announced: "Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems.
"We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.
"At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems."
"We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident -- regardless of whether those users are active or not."
Edell said Adobe believes that the attackers also obtained access to many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data.
“We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident,” she said. “Our notification to inactive users is ongoing.”
The company disclosed the initial breach on October 3, when Brad Arkin, Adobe's chief security officer, announced: "Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems.
"We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.
"At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems."