Adobe has confirmed that a recent cyber-attack compromised many more customer accounts than first reported.
The software-maker said that it now believed usernames and encrypted passwords had been stolen from about 38 million of its active users.
It added that the attackers had also accessed details from an unspecified number of accounts that had been unused for two or more years.
The firm had originally said 2.9 million accounts had been affected.
Adobe has also announced that the hackers stole parts of the source code to Photoshop, its popular picture-editing program.
It had previously revealed that the source code for its Acrobat PDF document-editing software and ColdFusion web application creation products had also been illegally accessed.
The information could allow programmers to analyse how Adobe's software works and copy its techniques.
In May, Adobe shifted several of its products to a subscription model, meaning its customers needed to register an account and provide their payment card details in order to qualify for upgrades.
A spokeswoman for Adobe defended the fact its initial statement did not reveal the full scale of the issue.
"In our public disclosure, we communicated the information we could validate," she said.
"As we have been going through the process of notifying customers whose Adobe IDs and passwords we believe to be involved, we have been eliminating invalid records. Any number communicated in the meantime would have been inaccurate."
She added that the firm still believed that encrypted credit and debit card numbers, product expiration dates and other information relating to customer orders had only been compromised in the case of the original 2.9 million users identified.
Regarding the additional 35.1 million users, the company thinks only customer IDs and encrypted passwords have been affected.
It has since reset the passwords as a precaution against the encryption being cracked. However, this would not protect its customers from the threat of having their accounts on other services attacked if they used the same usernames and passwords.
According to Brian Krebs, a security blogger who first reported the breach, a file was uploaded to a hacking forum last weekend that appeared to contain millions of usernames and hashed passwords taken from Adobe.
The fact the passwords had been hashed means that they had been converted into a string of characters using a process that cannot be reversed to reveal the original text.
The spokeswoman for Adobe said the document had since been removed from the site at the firm's request, and added that her company had seen no indication of unauthorised activity on any of the accounts involved in the incident.
- 4 October 2013
- 7 May 2013