An unsecured Elasticsearch database left exposed the account information of about 7.5 million Adobe Creative Cloud users.
Comparitech, in association with security researcher Bob Diachenko, found the Adobe database, which could be accessed without a password or any login credentials. The company was notified on October 19 and the database was locked down that day.
However, a great deal of information was left exposed, for an indeterminate amount of time, possibly as long as a week, according to Diachenko.
"The environment contained Creative Cloud customer information, including e-mail addresses, but did not include any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services," Adobe said in a statement.
Comparitech listed the compromised information as:
- Email addresses
- Account creation date
- Which Adobe products they use
- Subscription status
- Whether the user is an Adobe employee
- Member IDs
- Time since last login
- Payment status
Even though the information was exposed just for a week, industry execs say that is more than enough time for a cybercriminal to find and then utilise for a variety of different types of future attacks.
"The exposure of 7.5 million Adobe Creative Cloud accounts gives cybercriminals more than enough data to commit effective phishing attacks and impersonation attempts. Knowing users’ email addresses, product subscriptions, payment statuses and login updates means their social engineering attacks can be highly tailored and therefore all the more convincing. If successful, these attacks can lead to account takeover, identity theft and other scams," said Valimail CEO and co-founder Alexander García-Tobar.
The original version of this article was published on SC Media US.