"Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers.
"This includes customer names, encrypted credit or debit card numbers, expiration dates and other information relating to customer orders," it added.
Adobe said while it believes the attackers did not remove decrypted credit or debit card numbers from its systems, it is working internally and with external partners and law enforcement to address the incident.
The company said it is notifying customers and resetting passwords. It has also alerted banks processing Adobe payments to help protect customer accounts and is working with federal law enforcement on its related investigation.
"Cyber attacks are one of the unfortunate realities of doing business today. Given the profile and widespread use of many of our products, Adobe has attracted increasing attention from cyber attackers," Adobe chief security officer Brad Arkin wrote in the blog post.