Adobe has announced that a vulnerability has exposed the private information of approximately 7.5 million Adobe Creative Cloud users. The information was contained in an Elasticsearch database, which could be accessed by anyone via a web browser without any authentication required. Fortunately, only basic customer information was exposed.
No financial information or passwords were stored in the database, only basic information about customer accounts: Email addresses, member IDs, account subscription date, subscription and payment status, local time zone, last login time, the products subscribed to, and whether the individual was an Adobe employee.
The exposed database was discovered and reported to Adobe by Security Discovery researcher Bob Diachenko and Camparitech tech journalist, Paul Bischoff. Adobe secured the database the same day and issued a prompt security update to its customers about the exposed data.
Adobe explained that the database was being used by staff in one of its prototype environments and that a misconfiguration had allowed the database to be accessed over the internet. That misconfiguration did not affect any Adobe core products or services.
It is unclear for how long the database had been exposed. Diachenko discovered the database on October 19 and suspects it had been exposed online for around a week. It was not possible to determine whether any unauthorized individuals had accessed or copied the database.
Due to the limited nature of the exposed data and the suspected short window of exposure, the breach is not as serious as several other exposed unprotected databases discovered by Diachenko and nowhere near as serious as Adobe’s 2013 data breach in which full customer records were stolen; however, there is still potential for the data to be misused.
Since email addresses were exposed, if they were obtained by unauthorized individuals they could be used for spamming. The information in the database could also be used to crack convincing emails to obtain Adobe Creative Cloud passwords.