Adobe left 7.5 million Creative Cloud user records exposed online

Exposed data primarily includes emails, but not passwords or financial information.

Entrance to Adobe San Francisco office location in historic Baker and Hamilton warehouse

SAN FRANCISCO, CA JULY 1, 2018: Entrance to Adobe San Francisco office location in historic Baker and Hamilton warehouse

David Tran / Getty Images

The basic customer details of nearly 7.5 million Adobe Creative Cloud users were exposed on the internet inside an Elasticsearch database that was left connected online without a password.

The exposed details primarily included information about customer accounts, but not passwords or financial information.

Exposed user details included email addresses, Adobe member IDs (usernames), country of origin, and what Adobe products they were using. Other information also included account creation date, the last date of their login, whether the account belonged to an Adobe employee, and subscription and payment status.

This data was found last week, on Saturday, October 19, by security researcher Bob Diachenko from Security Discovery and Paul Bischoff, a tech journalist for CompariTech.

The two notified Adobe's security team, who secured the server on the same day.

Diachenko and Bischoff lauded Adobe for their quick response and admitted that the data leak was not as severe as other leaks they've found in the past at other companies, as it did not contain passwords, payment data, or even something as basic as customer names.

Spear-phishing warning

However, it is unclear if someone else also accessed this database and downloaded its content. The data inside could be used to send spam to users who had their email addresses exposed.

Specifically, hackers could target owners of active Adobe premium accounts with phishing emails to hijack high-value Creative Cloud accounts from owners, which they can later re-sell online, on specialized dark web markets.

For its part, Adobe admitted to the leaky server in a blog post last night, Friday, October 25.

The cloud-based software company blamed the incident on a misconfiguration to one of its "prototype environments" that led to the server becoming exposed on the internet.

This leak is nowhere as severe as the infamous 2013 Adobe breach, where hackers obtained full records, including encrypted payment details, for nearly 38 million Adobe users. At the time, the Adobe breach was one of the biggest hacks ever.