[German]Adobe has to admit a data leak. 7.5 million Adobe Creative Cloud account details from an unprotected database were accessible to third parties via a web browser.
Adobe Creative Cloud is a subscription service that gives users access to a number of popular Adobe products including Photoshop, Lightroom, Illustrator, InDesign, Premiere Pro, Audition, After Effects, and more. Adobe has replaced its perpetual license model with a one-time purchase in 2013 with the cloud subscription model. And now Adobe Creative Cloud users’ account information was publicly available.
Some Friday vibes in here: https://t.co/CiPo3xIZsy
— Bob Diachenko (@MayhemDayOne) October 25, 2019
The database with the sensitive user information has been discovered by the security researchers Bob Diachenko and Comparitech. I became aware of this case through Bob Diachenko’s tweet above. Access to the Elasticsearch database was possible without password or other authentication.
The database contained nearly 7.5 million user data from the Adobe Creative Cloud and could be accessed by virtually any user with a simple browser. The data included email addresses, account information, and the Adobe products used by each user.
- Email addresses
- Account creation date
- Which Adobe products they use
- Subscription status
- Whether the user is an Adobe employee
- Member IDs
- Time since last login
After discovering the exposed data, Diachenko immediately took steps to inform Adobe.
- October 19, 2019 – Security researcher Diachenko discovered the exposed data and informed Adobe immediately.
- October 19, 2019 – Adobe has secured the instance with the database.
Security researchers don’t know exactly when the database will be publicly visible for the first time. But Diachenko estimates that it was exposed for about a week. It is unknown whether anyone else has obtained unauthorized access to the database in the meantime.