Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Adobe Exposed Creative Cloud Customer Information

Adobe has admitted that some Creative Cloud customer information — 7.5 million records, according to the researchers who stumbled upon the data — was exposed recently due to a misconfiguration.

Adobe has admitted that some Creative Cloud customer information — 7.5 million records, according to the researchers who stumbled upon the data — was exposed recently due to a misconfiguration.

Researcher Bob Diachenko and Comparitech reported last week that they had identified an unprotected Elasticsearch database — the database was accessible without a password — storing Creative Cloud customer information.

The database contained email addresses and other account information, including account creation date, Adobe products used, subscription status, member ID, country, payment status, and time since last login. However, passwords or payment information were not exposed.

It’s unclear how many users were affected, but Comparitech and Diachenko reported counting 7.5 million records in the exposed database.

“The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example,” Comparitech said in a blog post.

The exposed data was discovered on October 19 and Adobe took steps to secure the database on the same day.

Adobe confirmed the incident and said it was related to one of its “prototype environments.”

Advertisement. Scroll to continue reading.

“The environment contained Creative Cloud customer information, including e-mail addresses, but did not include any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services,” Adobe said.

The company added, “We are reviewing our development processes to help prevent a similar issue occurring in the future.”

This was not the only significant data exposure uncovered recently by Diachenko and Comparitech. In the past few months, they also reported finding 2.8 million records exposed by CenturyLink, 700,000 records exposed by Choice Hotels, 7 million student records exposed by K12.com, 300,000 records exposed by QuickBit, and 5 million records exposed by MedicareSupplement.com.

Comparitech also reported recently that the official campaign website of U.S. President Donald Trump exposed information that may have allowed hackers to intercept emails and send out emails on behalf of the campaign, but representatives of the Trump campaign have downplayed the risk.

Related: JIRA Misconfiguration Leaks Data of Fortune 500 Companies

Related: Adobe Patches ColdFusion Vulnerability Exploited in the Wild

Related: Adobe Patches Two Code Execution Vulnerabilities in Flash Player

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.