The attackers of Adobe, the maker of Photoshop, accessed customer IDs and encrypted passwords, the company said.
It added: "We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.
"At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems."
Brad Arkin, chief security officer at Adobe, said the company "deeply regret" that this incident occurred.
The statement also said: "We are also investigating the illegal access to source code of numerous Adobe products.
"Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident."
The company said it is resetting relevant customer passwords to help prevent unauthorised access to accounts.
Customers whose user ID and password were involved will receive an email with details of how to change their password.
The company recommends people change passwords on any website where they have used the same user ID and password.