Adobe exposes 7 million Creative Cloud accounts online

  • by mtsadministrator

    • Creative
    software giant Adobe has issued a security notice confirming the embarrassing
    exposure of over 7 million user accounts, potentially leaving users vulnerable to
    phishing scams.

    On Friday, an Adobe blog entry titled “Security Update” disclosed that a misconfigured “environment” led to the exposure of customer information. The full announcement reads:

    At Adobe, we believe transparency with our customers
    is important. As such, we wanted to share a security update.

    Late last week,
    Adobe became aware of a vulnerability related to work on one of our prototype
    environments. We promptly shut down the misconfigured environment, addressing
    the vulnerability.

    The
    environment contained Creative Cloud customer information, including e-mail
    addresses, but did not include any passwords or financial information. This
    issue was not connected to, nor did it affect, the operation of any Adobe core
    products or services.

    We are
    reviewing our development processes to help prevent a similar issue occurring
    in the future.”

    The announcement is short on details. However, a report by Comparitech sheds more light on the issue. The site reportedly made the discovery in partnership with security researcher Bob Diachenko, who immediately notified Adobe. The company patched the flaw the same day (October 19).

    The exposed Elasticsearch database held close to 7.5 million Creative Cloud user accounts and could be accessed without a password or any other authentication. It is estimated that the database exposed user data for about a week – plenty of time for someone to exfiltrate the data and use it in phishing scams and fraud.

    The report also mentions that, in addition to leaking emails, the exposed database held information like: account creation date; which Adobe products the user owns; subscription status; whether the user is an actual employee at Adobe; member ID; country; Time since last login; payment status. In other words, plenty of information to craft a highly-convincing phishing scam. There is no immediate indication that the exposed information has been compromised.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Scroll to top