Adobe left almost 7.5 million Creative Cloud accounts exposed to anyone with a web browser.
According to a Comparitech report, an Elastisearch database containing email address and other Creative Cloud account information was accessible without a password or other authentication.
Comparitech partnered with security researcher Bob Diachenko to uncover the exposed database and reported it to Adobe on October 19th. Adobe secured the database the same day.
Diachenko estimates the database remained accessible for about a week. It’s not clear if anyone else accessed the database.
Thankfully, Comparitech reports that the exposed data wasn’t particularly sensitive. Below is a list of all data included in the database:
- Email addresses
- Account creation date
- Which Adobe products that account owns
- Subscription Status
- Whether the user is an Adobe employee
- Member IDs
- Time since last login
- Payment status
The data didn’t include payment information or passwords. However, the real danger with the exposed data is that scammers could use it to build targeted phishing scams.
Armed with the above information, fraudsters could pose as Adobe and try to trick users into giving up further data, such as passwords or payment details.
Adobe confirmed the details of the Comparitech report to Gizmodo in an email statement. It noted that the database “contained Creative Cloud customer information, including email addresses, but did not include any passwords or financial information.”
“This issue was not connected to, nor did it affect, the operation of any Adobe core products or services,” the company said.
Adobe also said it was reviewing its “development processes to help prevent a similar issue occurring in the future.”
Adobe Creative Cloud users should be wary of any emails they receive asking them to log in to the service and never click links provided in an email. Instead, open a new tab and sign in to Adobe directly through the company’s website.
You can learn more about the breach and how Comparitech uncovered it here.