Security Experts:

Adobe Exposed Creative Cloud Customer Information

Adobe has admitted that some Creative Cloud customer information — 7.5 million records, according to the researchers who stumbled upon the data — was exposed recently due to a misconfiguration.

Researcher Bob Diachenko and Comparitech reported last week that they had identified an unprotected Elasticsearch database — the database was accessible without a password — storing Creative Cloud customer information.

The database contained email addresses and other account information, including account creation date, Adobe products used, subscription status, member ID, country, payment status, and time since last login. However, passwords or payment information were not exposed.

It’s unclear how many users were affected, but Comparitech and Diachenko reported counting 7.5 million records in the exposed database.

“The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example,” Comparitech said in a blog post.

The exposed data was discovered on October 19 and Adobe took steps to secure the database on the same day.

Adobe confirmed the incident and said it was related to one of its “prototype environments.”

“The environment contained Creative Cloud customer information, including e-mail addresses, but did not include any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services,” Adobe said.

The company added, “We are reviewing our development processes to help prevent a similar issue occurring in the future.”

This was not the only significant data exposure uncovered recently by Diachenko and Comparitech. In the past few months, they also reported finding 2.8 million records exposed by CenturyLink, 700,000 records exposed by Choice Hotels, 7 million student records exposed by K12.com, 300,000 records exposed by QuickBit, and 5 million records exposed by MedicareSupplement.com.

Comparitech also reported recently that the official campaign website of U.S. President Donald Trump exposed information that may have allowed hackers to intercept emails and send out emails on behalf of the campaign, but representatives of the Trump campaign have downplayed the risk.

Related: JIRA Misconfiguration Leaks Data of Fortune 500 Companies

Related: Adobe Patches ColdFusion Vulnerability Exploited in the Wild

Related: Adobe Patches Two Code Execution Vulnerabilities in Flash Player

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.