Adobe has confirmed that 2.9 million of its customers may have been affected by a data breach and that the attackers may have had access to its users’ financial information.
The firm said Thursday that it discovered “sophisticated attacks” on its network that accessed customer information, as well as source code for some of its products.
Earlier this week, Adobe said that its source code had been accessed, crediting work from journalist Brian Krebs and researcher Alex Holden of Hold Security for helping it respond to the incident. At that time, Adobe said that it was not aware of any exploits being used to target Adobe products as a result of that attack.
On Thursday, the firm said that customer information such as names, encrypted credit or debit card numbers, expiration dates and “other information relating to customer orders” may have been accessed, although it has no evidence that any credit card numbers left its systems.
According to Krebs, the firm first became aware of the breach last week, when he and Holden discovered a large file containing source code on the server of cybercriminals believed to have hacked into the databases of data aggregators including LexisNexis.
After notifying Adobe of the breach, the company told Krebs that it believes its systems were accessed in mid-August and that it has been investigating a possible breach since Sept. 17.
The company has reset the passwords of all customers it believes were affected by the breach, has notified banks that process customer payments for Adobe about the problem, and is alerting customers about that their account may have been accessed. Adobe also said that it is working with federal law enforcement and assisting with an investigation into the breach.