Adobe accidentally exposed private details of over 7 million Creative Cloud accounts to the public, putting those members at risk of targeted phishing scams.
The issue was first reported by Comparitech, which discovered (in partnership with security researcher Bob Diachenko) that the account details were exposed in a database that could be accessed by anyone through a browser without any kind of password or authentication.
The account data include email addresses, account creation date, Adobe products used, subscription status, whether the user is an Adobe employee, member IDs, country, time of last login, and payment status. Things like payment details and account passwords were not exposed by the database.
Diachenko immediately notified Adobe on October 19th of the issue, which he estimates was present for about a week, and the database was secured the same day. It’s currently unknown whether the database was accessed by third-parties while it was exposed.
Adobe confirmed the details of the “vulnerability” in a Security Update posted to its website:
At Adobe, we believe transparency with our customers is important. As such, we wanted to share a security update.
Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.
The environment contained Creative Cloud customer information, including e-mail addresses, but did not include any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services.
We are reviewing our development processes to help prevent a similar issue occurring in the future.
“The exposed user data wasn’t particularly sensitive, but it could be used to create phishing campaigns that target the Adobe users whose emails were leaked,” Comparitech notes. “Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.”
Adobe suffered another major data breach back in 2013 that did expose credit card and login information for an unknown number of users in a data breach that affected at least 38 million users and possibly up to 150 million.
If you’re a subscriber to Adobe Creative Cloud, keep your eyes peeled for emails purporting to be from Adobe, and double-check that they are indeed from the company before responding or acting in any way.
Image credits: Lock icon in header illustration by SimpleIcon and licensed under CC BY 3.0