Skip to main content

Adobe left millions of Creative Cloud user records exposed online

Adobe Creative Cloud subscribers are being warned to keep a look out for phishing emails after it was discovered that data belonging to more than seven million accounts remained exposed online for about a week.

Adobe Creative Cloud is a suite of applications that subscribers pay a monthly fee to use. It includes Photoshop, Lightroom, Premiere Rush, Premier Pro, and Illustrator, among other software.

U.K.-based tech firm Comparitech and security researcher Bob Diachenko discovered the exposed data, which they said could be viewed without a password or any other kind of authentication.

The researchers alerted Adobe on October 19, prompting the software company to secure the database on the same day.

Exposed data

The exposed data involved 7.5 million accounts and included email addresses, member IDs, country locations, account creation dates, Adobe products used, time since last login, payment status, and whether the user is an Adobe employee, among other details.

Payment information and passwords were not exposed.

Comparitech said that while the data isn’t “particularly sensitive,” it could nevertheless be used to launch phishing campaigns against subscribers.

“Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords,” Comparitech said in a post about the incident.

There’s so far no evidence that the data was accessed by third parties during the time it was exposed online.

California-based Adobe acknowledged the incident in a message on its website.

“At Adobe, we believe transparency with our customers is important. As such, we wanted to share a security update,” the company said.

“Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.”

It continued: “The environment contained Creative Cloud customer information, including e-mail addresses, but did not include any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services. We are reviewing our development processes to help prevent a similar issue occurring in the future.”

It’s not the first time Adobe has run into trouble with how it handles user data. In 2013, the company suffered a far more serious incident when hackers stole information belonging to around 38 million users. In that case, the hackers managed to get their hands on encrypted customer data that included payment card details, names, usernames, and email addresses.

Editors' Recommendations