Adobe is dealing with a data breach. Last week it turned out that 7.5 million Adobe Creative Cloud accounts had been leaked through an incorrectly configured database. The database has now been taken offline.
The data leak was discovered by security researcher Bob Diachenko and Comparitech. It was an Elasticsearch database that could be accessed without a password or other form of authentication, due to incorrect configurations.
The database contained data of Creative Cloud users. This included e-mail addresses, the date the account was created, which Adobe products are used, the subscription status, whether it was an Adobe employee, user IDs, the country, the last time the user logged in and the payment status.
The database did not contain any passwords or payment information. The most sensitive data of an account therefore seems to be secure. The information in the database can be used for spam and phishing emails. For example, fraudsters can pose as Adobe or a related company in order to get users to share more information.
Unsecured for a week
Comparitech regularly scans the internet for unsecured databases. That’s how they found the Adobe database. The company collaborated with security researcher Diachenko, who analyses data from security leaks and detects the responsible organisation.
Diachenko estimates that the database has been open for about a week. It is unclear whether anyone other than the security researcher had access to it. On 19 October, the leak was reported to Adobe. The company immediately took the database offline.
Adobe states in a statement that the work was specifically related to a prototype environment. “We immediately shut down the misconfigured environment and solved the vulnerability.” The company also reports that it is investigating development processes to prevent a similar incident from occurring in the future.