7 million Adobe Creative Cloud accounts exposed to the public
Nearly 7.5 million Adobe Creative Cloud user records were left exposed to anyone with a web browser, including email addresses, account information, and which Adobe products they use.
Comparitech partnered with security researcher Bob Diachenko to uncover the exposed database. The Elasticsearch database could be accessed without a password or any other authentication.
Diachenko immediately notified Adobe on October 19 and the company secured the database on the same day.
Timeline of the exposure
Upon discovering the exposed data, Diachenko immediately took steps to notify Adobe.
October 19, 2019 – Security researcher Diachenko discovered the exposed data and immediately notified Adobe.
October 19, 2019 – Adobe secured the instance.
We do not know when, exactly, the database first appeared, but Diachenko estimates it was exposed for about a week. We do not know whether anyone else gained unauthorized access to the database in the meantime.
What information was exposed?
The exposed user data wasn’t particularly sensitive, but it could be used to create phishing campaigns that target the Adobe users whose emails were leaked. The following user data was included:
Account creation date
Which Adobe products they use
Whether the user is an Adobe employee
Time since last login
The data did not include payment information or passwords.
Dangers of exposed data to Adobe Creative Cloud users
The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.
The information does not pose a direct financial or security threat. No credit cards or other payment information was exposed, nor were any passwords.
About Adobe Creative Cloud
Adobe Creative Cloud is a subscription service that gives users access to a suite of popular Adobe products such as Photoshop, Lightroom, Illustrator, InDesign, Premiere Pro, Audition, After Effects, and many more. Adobe replaced its single-purchase, perpetual license model with the cloud subscription model in 2013.
By some estimates, Creative Cloud has approximately 15 million subscribers.
Comparitech conducts security research that entails scanning the web for exposed databases. When we uncover a database that hasn’t been properly secured and allows unauthorized access, we immediately notify the owner.
Our aim is to mitigate potential harm to end users. Bob Diachenko leans on his extensive cybersecurity experience to quickly uncover breaches, analyze the data, and track down the responsible organization.
Once the database has been secured, we write a report like this one to help notify affected users and make them aware of the risks. We hope our work can make users safer and limit abuse by malicious parties.
The Adobe Creative Cloud incident is one of many exposures and breaches that Diachenko and Comparitech have uncovered. Here are some others: