Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Adobe Exposed Creative Cloud Customer Information

Adobe has admitted that some Creative Cloud customer information — 7.5 million records, according to the researchers who stumbled upon the data — was exposed recently due to a misconfiguration.

Adobe has admitted that some Creative Cloud customer information — 7.5 million records, according to the researchers who stumbled upon the data — was exposed recently due to a misconfiguration.

Researcher Bob Diachenko and Comparitech reported last week that they had identified an unprotected Elasticsearch database — the database was accessible without a password — storing Creative Cloud customer information.

The database contained email addresses and other account information, including account creation date, Adobe products used, subscription status, member ID, country, payment status, and time since last login. However, passwords or payment information were not exposed.

It’s unclear how many users were affected, but Comparitech and Diachenko reported counting 7.5 million records in the exposed database.

“The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example,” Comparitech said in a blog post.

The exposed data was discovered on October 19 and Adobe took steps to secure the database on the same day.

Adobe confirmed the incident and said it was related to one of its “prototype environments.”

“The environment contained Creative Cloud customer information, including e-mail addresses, but did not include any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services,” Adobe said.

Advertisement. Scroll to continue reading.

The company added, “We are reviewing our development processes to help prevent a similar issue occurring in the future.”

This was not the only significant data exposure uncovered recently by Diachenko and Comparitech. In the past few months, they also reported finding 2.8 million records exposed by CenturyLink, 700,000 records exposed by Choice Hotels, 7 million student records exposed by K12.com, 300,000 records exposed by QuickBit, and 5 million records exposed by MedicareSupplement.com.

Comparitech also reported recently that the official campaign website of U.S. President Donald Trump exposed information that may have allowed hackers to intercept emails and send out emails on behalf of the campaign, but representatives of the Trump campaign have downplayed the risk.

Related: JIRA Misconfiguration Leaks Data of Fortune 500 Companies

Related: Adobe Patches ColdFusion Vulnerability Exploited in the Wild

Related: Adobe Patches Two Code Execution Vulnerabilities in Flash Player

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

SpecterOps has appointed Tim Bender as CFO, Pat Sheridan as CRO, and Bryce Hein as CMO.

CISA has officially announced the appointment of Madhu Gottumukkala as its new deputy director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.