The number came to light after renowned security research Brian Krebs wrote on his blog that he had seen a data dump on a website called Anonnews.org with 150 million usernames and passwords. Adobe later confirmed to Krebs that only a portion of these were active users.
“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and – what were at the time valid – encrypted passwords for approximately 38 million active users,” an Adobe spokesperson told Krebs.
“We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident – regardless of whether those users are active or not.”
V3 contacted Adobe for direct comment on the revelations but had received no reply at the time of publication.
Krebs helped Adobe uncover and monitor the original attack on its networks. The theft of account details came alongside an attack on Adobe source code of Acrobat, ColdFusion, ColdFusion Builder and other unnamed Adobe products.
Adobe confirmed to Krebs that source code for Photoshop was among some of the other products affected. “Our investigation to date indicates that a portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on 3 October,” it said.
Vulnerabilities in ColdFusion were also blamed as the root by which a 28-year-old UK man named Lauri Love was able to infiltrate US army systems after he was arrested earlier in October by the UK's National Crime Agency.