Nearly 7.5 million Adobe Creative Cloud user records were left exposed due to an exposed, non-password protected Elasticsearch database.
Security researcher Bob Diachenko, who worked alongside Comparitech, estimates that the database was exposed for about a week. However, it remains unknown as to whether anyone else gained unauthorised access to the database.
The exposed information included; email addresses, account creation data, which Adobe products they use, subscription status, whether the user is an Adobe employee, member IDs, time since last login, payment status and country.
The data did not include payment information or passwords.
Comparitech privacy Advocate, Paul Bischoff, said in a blog post: “The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.”
“The information does not pose a direct financial or security threat. No credit cards or other payment information was exposed, nor were any passwords.”
Adobe Creative Cloud is a subscription service which offers users access to a range or popular Adobe products including Photoshop, Lightroom, Premiere Pro, After Effects and more. It is estimated to have approximately 15 million subscribers.
Adobe has previously been impacted by a data breach in October 2014, which impacted at least 38 million users. Subsequently, 3 million encrypted customer credit cards and login credentials for an unknown amount of users were exposed.
The database has now been closed.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/