Almost 7.5 million Adobe Creative Cloud user records were left uncovered to anyone with a web browser that includes account information, email addresses, and which Adobe products they use. Comparitech collaborated with security researcher Bob Diachenko to bring out the unprotected database. The Elasticsearch database could be accessed without a password or any other authentication. Diachenko quickly notified Adobe on October 19 and the company secured the database on the same day.
This sincere failure affected desktop and mobile customers using Photoshop, Illustrator, Premiere Pro, InDesign, Lightroom, and many other services. Everyone knows the fact that personal details, including email addresses, account details, country, and other data of Abode Creative Cloud users, was stored in the affected database. The breach was at first revealed back on October 19, so Adobe has already taken the required actions.
Adobe Communications Team has mentioned in its release on October 25th:
Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services. We are reviewing our development processes to help prevent a similar issue occurring in the future.
Cyber criminals may have acquired these details with the sole motive of using the credentials in later phishing attacks. Email addresses and other personally identifiable information can be helpful for vicious scammers that focus on extortion and blackmailing scams.
The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.