What happened
According to public breach records, the Adobe data breach on October 4, 2013 is reported to have exposed the personal information of 152,445,165 accounts.
In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.
Passwords in this breach were reportedly stored in plaintext.
Adobe publicly disclosed the breach on October 3, 2013, after security researcher Brian Krebs and Hold Security found a roughly 40GB trove of stolen Adobe source code (ColdFusion, Acrobat and other products) on a server tied to the attackers, which helped steer Adobe's investigation. Adobe initially reported about 2.9 million affected customer records but the leaked dataset ultimately covered more than 152 million accounts, each containing an internal ID, username, email, an encrypted password and a plaintext password hint. What made it notable was the password storage: passwords were encrypted with a deterministic scheme rather than properly salted-and-hashed, so identical passwords produced identical ciphertext, and because the hints were stored in plaintext, analysts (notably Troy Hunt) could infer huge numbers of passwords once the data leaked.
What data was exposed
The following types of personal data were compromised:
- Email addresses
- Password hints
- Passwords
- Usernames
Breach details
| Detail | Value |
|---|---|
| Breach name | Adobe |
| Date | October 4, 2013 |
| Accounts affected | 152,445,165 |
| Domain | adobe.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Adobe; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your Adobe password immediately and replace it anywhere you reused that same email/password combination, since the leaked credentials have circulated publicly for years.
- Delete or update any password hint you used; the plaintext hints in this leak often described the password directly and can still aid guessing.
- Enable two-factor authentication on your Adobe account and on any other account that shared the breached password.
- Be alert to phishing emails referencing your Adobe account, as exposed email addresses are widely used for targeted scams.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
- Adobe To Announce Source Code, Customer Data Breach – Krebs on Security
- Troy Hunt: Adobe credentials and the serious insecurity of password hints
- Illegal Access to Adobe Source Code — Adobe Security blog
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →