Despite initial company disclosures that described a smaller-scale attack, a recent security incident for the maker of creative software affected more than 38 million users, the company revealed this week.

Not 2.9 million, 38 million.

That big difference in numbers is the gap between the security breach Adobe initially reported and the total number that actually appear to have been affected by a recent hacking incident, based on leaked files released online last weekend.

So what happened, and what should organizations that rely on Adobe’s software know? More details below:

The breach: As security blogger Brian Krebs reported earlier this week, a file including a large amount of Adobe user data appeared on the hacking forum AnonNews.org. Data for as many as 38 million users was compromised (though Adobe says some of the IDs stolen were likely invalid). That’s on top of an earlier report that revealed that the credit card information of nearly 3 million users was affected. At the same time, separate files were posted on the forum that appeared to contain source code for the market-leading Adobe Photoshop software, one of many pieces that appeared to have been taken during the recent incident. The files have since been removed from the internet at Adobe’s request.

Far worse than first reported: The security breach was first reported nearly a month ago—but at the time, Adobe stated the incident affected 2.9 million users, less than 10 percent of the 38 million actually affected. In explaining why the initial estimate was so far off, a spokeswoman told the BBC that Adobe did the best it could with the information it had. “In our public disclosure, we communicated the information we could validate,” she said. “As we have been going through the process of notifying customers whose Adobe IDs and passwords we believe to be involved, we have been eliminating invalid records. Any number communicated in the meantime would have been inaccurate.”

The pitfalls of SaaS? Adobe’s situation could be seen as a blight on the rise of software as a service (SaaS), as the company went all-in on that approach earlier this year. While cloud-based products like Adobe’s Creative Cloud offer some perks, the current saga points out the security risks inherent in web-based platforms, which don’t exist for offline products.

Adobe is offering free credit monitoring to those who may have had their credit information stolen. But, as Krebs notes, one of the major credit-monitoring companies, Experian, recently had a security incident of its own.

(photo by mrkathika/Flickr)