What happened?

On October 3, 2013, we reported via a public blog post the discovery of sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. We believe that these attacks may be related. We are continuing to work diligently internally, as well as with external partners and law enforcement, to address the incident. We have completed notifications to all users with valid email addresses whose accounts we believed may have been at risk.

Am I affected?

How do I know if my Adobe ID and current password were involved in this security incident?

Adobe has reset passwords for all users whose current credentials (Adobe ID accounts with valid, encrypted passwords) were in the database that was taken by the attackers. We notified users in two ways:

  • We sent email notification to all users whose credentials were in the database that was taken. We prioritized by sending notification to active users first, followed by notification to inactive users and users whose passwords in the impacted database were no longer current. We notified inactive users and users whose passwords were in the database because we recognized that they may be using the same user IDs and passwords on other websites.
  • If your password was reset, you would have received, or will receive, a password reset notice on the login screen at the next attempt to log in to your Adobe ID account. If you are not prompted to change your password at login, your current credentials were not in the database that was taken.

If you would like to change your password on any Adobe service, you may do so at any time. Change your Adobe ID password.

A website I found tells me that my Adobe account is at risk, but I did not receive a password reset notice or an email from you. Is my account at risk?”

We are aware that a number of websites have recently appeared, claiming to let users "validate" whether their Adobe IDs and passwords were taken and require a password change. These sites are not reliable sources of information on whether a particular user ID is at risk. The database taken by the attackers came from a backup system that had many out-of-date records and was designated to be decommissioned. Many records in the backup database taken by the attackers had no passwords or passwords that were no longer current associated with them. Adobe’s authentication system of record, which cryptographically hashes and salts customer passwords, is not the source of the database these sites are using.

We do not recommend sharing your email address with these websites. There is a risk that at least some of these sites may be designed to harvest valid email addresses for spam or phishing purposes.

What can I do to protect my login credentials if my user ID and current password were accessed?

If your Adobe ID and current password were in the database that was taken, we have already reset your password. If you use the original password on another site, you should change it immediately. We also recommend that you follow password best practices to ensure that your new password is secure:

  • Don’t reuse passwords: Your password should be unique to your Adobe ID account. Don’t reuse a password you have previously used with your Adobe ID or a password you are using on any other website.
  • Make sure that your password is difficult to guess: Your password should be at least eight (8) characters in length. It should contain a mix of different character sets, such as uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and special characters (# $ % & - _ { }). It should not use all or part of your name or your Adobe ID.

What do I need to do?

  • If your Adobe ID and password were involved: Adobe has already reset your password. You would have received an email notification from Adobe with information on how to change your password. We have notified customers whose Adobe ID and password were involved, and that process is already underway.
  • Changing your password: Change your password to one you haven't used before. If you try to change back to the password you used before Adobe reset it, that password will no longer work. If you have not yet received a notification but would like to change your password on any Adobe service, you may do so at any time. Change your Adobe ID password.
  • Passwords and IDs for specific Adobe services: Adobe ID is a separate system from the user ID and logins associated with EchoSign, Behance, TypeKit, Marketing Cloud, and Connect Pro. If you use the same password for your Adobe ID and any of these services, please change your passwords for these other services as well.
  • Other websites: As a precaution, we also strongly recommend that you change your password on any website where you may have used the same user ID and password as your Adobe ID and password.
  • Protect yourself against non-legitimate email “phishing” attempts: If you received an email requesting you to change your password, and you’re concerned whether it is legitimate, don't click any links in the email. Instead, type www.adobe.com/go/passwordreset into your browser to be sure. How to recognize phishing attempts.

Frequently Asked Questions

What information exactly did the attacker gain access to?

Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 3.1 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe that the attackers removed decrypted credit or debit card numbers from our systems.

We are also investigating the illegal access to source code of numerous Adobe products. Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.

How did Adobe discover this incident?

Adobe's security team discovered suspicious activity during regular security monitoring

How did this incident happen?

Our investigation is still ongoing. Cyber attacks are one of the unfortunate realities of doing business today. Given the profile and widespread use of many of our products, Adobe has attracted increasing attention from cyber attackers.

What has Adobe done in response?

As a precaution, Adobe immediately reset passwords for all users whose current credentials (Adobe ID accounts with valid, encrypted passwords) were in the database that was taken by the attackers to help prevent unauthorized access to Adobe ID accounts. We sent email notification to these users with information on how to change their passwords. We recommend that customers change their passwords on any website where they may have used the same user ID and password.

We also notified customers whose credit or debit card information we believe to be involved in the incident. In addition to email notification, customers whose credit or debit card information was involved received a notification letter from us with additional information on steps they can take to help protect themselves against potential misuse of personal information about them. We also notified the banks processing customer payments for Adobe, so that they could work with the payment card companies and card-issuing banks to help protect customers' accounts.

We continue to work diligently internally, as well as with external partners, to address the incident. We contacted federal law enforcement and are continuing to assist in their investigation.

How did Adobe prioritize notifications?

Adobe has reset passwords for all users whose current credentials (Adobe ID accounts with valid, encrypted passwords) were in the database that was taken by the attackers. We notified users in two ways:

  • We sent email notification to all users whose credentials were in the database that was taken. We prioritized by notifying active users first, followed by notifying inactive users and users whose passwords in the impacted database were no longer current. We notified inactive users and users whose passwords were in the database because we recognized that they may be using the same user IDs and passwords on other websites.
  • If your password was reset, you would have received, or will receive, a password reset notice on the login screen at the next attempt to log into your Adobe ID account. If you are not prompted to change your password at login, your current credentials were not in the database that was taken.

The email notification process took longer than originally anticipated given the number of email addresses and the practical limits on the number of notifications that could be sent at any one time. We also worked closely with Internet service providers to minimize the risk of emails getting blocked.

If you would like to change your password on any Adobe service, you may do so at any time. Change your Adobe ID password.
 

What is the geographic scope of the customer information involved in the incident?

Adobe customers worldwide provide us with account information, so we took precaution and reset relevant customer passwords and notified any customers who have provided us with their credit or debit card information.

Is Adobe working with law enforcement on its investigation?

Yes.

How do I know the information I share with Adobe is secure moving forward?

We value the trust of our customers. We are working aggressively to prevent these types of events from occurring in the future. We are working diligently internally, as well as with external partners and law enforcement, to address the incident. 

How would I know if my credit or debit card information was accessed?

We notified customers whose credit or debit card information we believe to be involved in the incident. Customers whose credit or debit card information was involved received a notification letter from us with additional information on steps they can take to help protect themselves against potential misuse of personal information about them.

How would I know if my Adobe ID and current password were involved in this security incident?

Adobe has reset passwords for all users whose current credentials (Adobe ID accounts with valid, encrypted passwords) were in the database that was taken by the attackers. We notified users in two ways:

  • We sent email notification to all users whose credentials were in the database that was taken. We prioritized by notifying active users first, followed by notifying inactive users and users whose passwords in the impacted database were no longer current. We notified inactive users and users whose passwords were in the database because we recognized that they may be using the same user IDs and passwords on other websites.
  • If your password was reset, you would have received, or will receive, a password reset notice on the login screen at the next attempt to log in to your Adobe ID account. If you are not prompted to change your password at login, your current credentials were not in the database that was taken.

If you would like to change your password on any Adobe service, you may do so at any time. Change your Adobe ID password.
 

How would I know if my name, address, phone number, email address, or other personal data was involved in this security incident?

Please send us an email at privacy@adobe.com with your request.

 

Was any of my information taken as a result of the security incident?

If your Adobe ID and encrypted password were in the database that was taken, we have already reset your password. Adobe has sent notification letters to all customers whose encrypted credit card information was taken. If you did not receive the letter and would like to check to see if your credit card was impacted, please contact customer support. In some cases personal data such as first name, last name, address, and phone number were removed. If you have questions about what personal data was removed from our systems, please send us an email at privacy@adobe.com with your request.

A website I found tells me that my Adobe account is at risk, but I did not receive a password reset notice or an email from Adobe. Is my account at risk?”

We are aware that a number of websites have recently appeared, claiming to let users "validate" whether their Adobe IDs and passwords were taken and require a password change. These sites are not reliable sources of information on whether a particular user ID is at risk. The database taken by the attackers came from a backup system that had many out-of-date records and was designated to be decommissioned. Many records in the backup database taken by the attackers had no passwords or passwords that were no longer current associated with them. Adobe’s authentication system of record, which cryptographically hashes and salts customer passwords, is not the source of the database these sites are using.

We do not recommend sharing your email address with these websites. There is a risk that at least some of these sites may be designed to harvest valid email addresses for spam or phishing purposes.

 

Why have there been conflicting public reports around the number of users whose information was involved?

In our October 3 announcement, we indicated that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also indicated that the attackers removed from our systems certain information relating to 3.1 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.

We did not reference a specific number of impacted Adobe ID accounts. We communicated the information we could validate at the time of the announcement. In the process of verifying and notifying customers whose Adobe IDs and passwords we believed to be involved, we eliminated invalid records. Any number communicated in the meantime would have been inaccurate.
 

What can I do to protect my login credentials if my user ID and current password were accessed?

If your Adobe ID and current password were in the database that was taken, we have already reset your password. If you use the original password on another site, you should change it immediately. We also recommend that you follow password best practices to ensure that your new password is secure:

  • Don’t reuse passwords: Your password should be unique to your Adobe ID account. Don’t reuse a password you have previously used with your Adobe ID or a password you are using on any other website.
  • Make sure that your password is difficult to guess: Your password should be at least eight (8) characters in length. It should contain a mix of different character sets, such as uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and special characters (# $ % & ; - _ { }). It should not use all or part of your name or your Adobe ID.
     

Is Adobe software itself vulnerable as a result of this incident?

We are not aware of any zero-day exploits targeting Adobe products. However, we recommend that customers run only supported versions of the software, apply all available security updates, and follow the advice in relevant security hardening guides. These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products.

Should I cancel my credit cards?

Adobe notified the banks that process customer payments for Adobe, so that they could work with the payment card companies and card-issuing banks to help protect customers' accounts.

We also notified customers whose credit or debit card information we believe to be involved in the incident. In addition to email notifications, customers whose credit or debit card information was involved received a notification letter from us with additional information on steps they can take to help protect themselves against potential misuse of personal information about them.

We also recommend that customers monitor their account for incidents of fraud and identity theft, including regularly reviewing your account statements and monitoring free credit reports. If customers discover any suspicious or unusual activity on their account or suspect identity theft or fraud, they should report it immediately to their financial institution.

Should I change the passwords on all of my online accounts?

Adobe recommends that customers change their passwords on any website where they may have used the same user ID and password.

What security advice can Adobe provide to its customers?

Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident. However, we recommend that customers run only supported versions of the software, apply all available security updates, and follow the advice in relevant security hardening guides. These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products.

We value the trust of our customers. Security guidance and best practices for many Adobe products are available on our Security pages.

What security measures does Adobe have in place to protect its customer information?

Security and in particular the security of customer information are very important to us. We are working diligently internally, as well as with external partners and law enforcement, to address the incident. We value the trust of our customers and will work aggressively to prevent these types of events from occurring in the future.

Adobe seems to have a lot of security issues. Why is that?

Cyber attacks are one of the unfortunate realities of doing business today. Given the profile and widespread use many of our products, Adobe has attracted increasing attention from cyber attackers. We are working diligently internally, as well as with external partners and law of enforcement, to address the incident. We value the trust of our customers and will work aggressively to prevent these types of events from occurring in the future.