Creative software giant Adobe has issued a security notice confirming the embarrassing exposure of over 7 million user accounts, potentially leaving users vulnerable to phishing scams.
On Friday, an Adobe blog entry titled “Security Update” disclosed that a misconfigured “environment” led to the exposure of customer information. The full announcement reads:
“At Adobe, we believe transparency with our customers is important. As such, we wanted to share a security update.
Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.
The environment contained Creative Cloud customer information, including e-mail addresses, but did not include any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services.
We are reviewing our development processes to help prevent a similar issue occurring in the future.”
The announcement is short on details. However, a report by Comparitech sheds more light on the issue. The site reportedly made the discovery in partnership with security researcher Bob Diachenko, who immediately notified Adobe. The company patched the flaw the same day (October 19).
The exposed Elasticsearch database held close to 7.5 million Creative Cloud user accounts and could be accessed without a password or any other authentication. It is estimated that the database exposed user data for about a week – plenty of time for someone to exfiltrate the data and use it in phishing scams and fraud.
The report also mentions that, in addition to leaking emails, the exposed database held information like: account creation date; which Adobe products the user owns; subscription status; whether the user is an actual employee at Adobe; member ID; country; Time since last login; payment status. In other words, plenty of information to craft a highly-convincing phishing scam. There is no immediate indication that the exposed information has been compromised.