Adobe exposes 7 million Creative Cloud accounts online

Creative
software giant Adobe has issued a security notice confirming the embarrassing
exposure of over 7 million user accounts, potentially leaving users vulnerable to
phishing scams.

On Friday, an Adobe blog entry titled “Security Update” disclosed that a misconfigured “environment” led to the exposure of customer information. The full announcement reads:

At Adobe, we believe transparency with our customers
is important. As such, we wanted to share a security update.

Late last week,
Adobe became aware of a vulnerability related to work on one of our prototype
environments. We promptly shut down the misconfigured environment, addressing
the vulnerability.

The
environment contained Creative Cloud customer information, including e-mail
addresses, but did not include any passwords or financial information. This
issue was not connected to, nor did it affect, the operation of any Adobe core
products or services.

We are
reviewing our development processes to help prevent a similar issue occurring
in the future.”

The announcement is short on details. However, a report by Comparitech sheds more light on the issue. The site reportedly made the discovery in partnership with security researcher Bob Diachenko, who immediately notified Adobe. The company patched the flaw the same day (October 19).

The exposed Elasticsearch database held close to 7.5 million Creative Cloud user accounts and could be accessed without a password or any other authentication. It is estimated that the database exposed user data for about a week – plenty of time for someone to exfiltrate the data and use it in phishing scams and fraud.

The report also mentions that, in addition to leaking emails, the exposed database held information like: account creation date; which Adobe products the user owns; subscription status; whether the user is an actual employee at Adobe; member ID; country; Time since last login; payment status. In other words, plenty of information to craft a highly-convincing phishing scam. There is no immediate indication that the exposed information has been compromised.

Leave a Reply

Your email address will not be published.

Scroll to top