7.5 Million Records of Adobe Creative Cloud User Data Exposed
October 25: Adobe secured a database with 7.5 million records belonging to Adobe Creative Cloud users. The cache was not protected in any way, allowing anyone access to client information if they knew how to find it.
Although the details included are not highly sensitive, they could be used to launch better-crafted phishing campaigns against customers whose data was exposed.
It is unclear how long the details stayed exposed but Bob Diachenko, the researcher that discovered it, estimates that anyone had free access to them for about a week.
Diachenko reported his findings to Adobe on October 19 and the company secured the Elasticsearch database on the same day.
According to Comparitech, sensitive details like passwords or payment data were not included.
There is no information on whether anyone accessed the information but if they did, they could use it for targeted phishing campaigns.
The size of the cache, according to a screenshot provided by the researchers, is close to 86GB
A screen capture that was taken by Diachenko shows the details that could be accessed without authentication. These include email addresses, the date the account was created, the products used by the customer, and payment status.
Additional details stored in the database that could influence the success of a scam include the following:
- Subscription status
- Whether the user is an Adobe employee
- Member IDs
- Time since last login
Adobe’s open Elasticsearch server was discovered by actively scanning the web in search for insecure databases.
Update [10/25/2019, 18:20 ET]: Adobe today published a statement about the exposed database saying that it was part of a “prototype environment” that was misconfigured. The company informs that the environment stored Creative Cloud customer information that did not include passwords or financial details.
Source: Bleeping Computer / Ionut Ilascu