Nearly 7.5 million Adobe Creative Cloud user records were left exposed to anyone with a web browser, including email addresses, account information, and which Adobe products they use.
Comparitech partnered with security researcher Bob Diachenko to uncover the exposed database. The Elasticsearch database could be accessed without a password or any other authentication.
Diachenko immediately notified Adobe on October 19 and the company secured the database on the same day.
Timeline of the exposure
Upon discovering the exposed data, Diachenko immediately took steps to notify Adobe.
- October 19, 2019 – Security researcher Diachenko discovered the exposed data and immediately notified Adobe.
- October 19, 2019 – Adobe secured the instance.
We do not know when, exactly, the database first appeared, but Diachenko estimates it was exposed for about a week. We do not know whether anyone else gained unauthorized access to the database in the meantime.
What information was exposed?
The exposed user data wasn’t particularly sensitive, but it could be used to create phishing campaigns that target the Adobe users whose emails were leaked. The following user data was included:
- Email addresses
- Account creation date
- Which Adobe products they use
- Subscription status
- Whether the user is an Adobe employee
- Member IDs
- Time since last login
- Payment status
The data did not include payment information or passwords.
Dangers of exposed data to Adobe Creative Cloud users
The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.
The information does not pose a direct financial or security threat. No credit cards or other payment information was exposed, nor were any passwords.
About Adobe Creative Cloud
Adobe Creative Cloud is a subscription service that gives users access to a suite of popular Adobe products such as Photoshop, Lightroom, Illustrator, InDesign, Premiere Pro, Audition, After Effects, and many more. Adobe replaced its single-purchase, perpetual license model with the cloud subscription model in 2013.
By some estimates, Creative Cloud has approximately 15 million subscribers.
In October 2013, Adobe suffered a data breach that impacted at least 38 million users. 3 million encrypted customer credit cards and login credentials for an unknown number of users were exposed.
How and why we discovered the leak
Comparitech conducts security research that entails scanning the web for exposed databases. When we uncover a database that hasn’t been properly secured and allows unauthorized access, we immediately notify the owner.
Our aim is to mitigate potential harm to end users. Bob Diachenko leans on his extensive cybersecurity experience to quickly uncover breaches, analyze the data, and track down the responsible organization.
Once the database has been secured, we write a report like this one to help notify affected users and make them aware of the risks. We hope our work can make users safer and limit abuse by malicious parties.
The Adobe Creative Cloud incident is one of many exposures and breaches that Diachenko and Comparitech have uncovered. Here are some others:
- 2.8 million CenturyLink customer records exposed
- 700k Choice Hotels customer records leaked
- 7 million student records exposed by K12.com
- Detailed personal records of 188 million people found exposed on the web
- Stock market listed cryptocurrency retailer QuickBit exposes over 300,000 records
- 5 million personal records belonging to MedicareSupplement.com exposed to the public