Skip to main content

Adobe left millions of Creative Cloud user records exposed online

Adobe Creative Cloud subscribers are being warned to keep a look out for phishing emails after it was discovered that data belonging to more than seven million accounts remained exposed online for about a week.

Adobe Creative Cloud is a suite of applications that subscribers pay a monthly fee to use. It includes Photoshop, Lightroom, Premiere Rush, Premier Pro, and Illustrator, among other software.

U.K.-based tech firm Comparitech and security researcher Bob Diachenko discovered the exposed data, which they said could be viewed without a password or any other kind of authentication.

The researchers alerted Adobe on October 19, prompting the software company to secure the database on the same day.

Exposed data

The exposed data involved 7.5 million accounts and included email addresses, member IDs, country locations, account creation dates, Adobe products used, time since last login, payment status, and whether the user is an Adobe employee, among other details.

Payment information and passwords were not exposed.

Comparitech said that while the data isn’t “particularly sensitive,” it could nevertheless be used to launch phishing campaigns against subscribers.

“Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords,” Comparitech said in a post about the incident.

There’s so far no evidence that the data was accessed by third parties during the time it was exposed online.

California-based Adobe acknowledged the incident in a message on its website.

“At Adobe, we believe transparency with our customers is important. As such, we wanted to share a security update,” the company said.

“Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.”

It continued: “The environment contained Creative Cloud customer information, including e-mail addresses, but did not include any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services. We are reviewing our development processes to help prevent a similar issue occurring in the future.”

It’s not the first time Adobe has run into trouble with how it handles user data. In 2013, the company suffered a far more serious incident when hackers stole information belonging to around 38 million users. In that case, the hackers managed to get their hands on encrypted customer data that included payment card details, names, usernames, and email addresses.

Editors' Recommendations

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
Hackers are trying to sell a haul of more than 73 million user records
Hands on a laptop.

More than 73 million user records stolen from across a number of online services are being offered for sale on the dark web by hacker group ShinyHunters, according to ZDNet.

Affected services include online dating app Zoosk (30 million user records), printing service Chatbooks (15 million), food delivery service Home Chef (8 million), online marketplace Minted (5 million), and U.S. news site Star Tribune (1 million).

Read more
Massive iPhone security flaw left millions of phones vulnerable to hacks
iPhone Home screen and apps

Over half a billion iPhones are vulnerable to hackers, and iPads are susceptible, too — and Apple is still working to deploy its fix.

The issue — which was discovered by cybersecurity company ZecOps exec Zuk Avraham — lies with Apple’s Mail app, which leaves devices vulnerable to hackers, according to Reuters.

Read more
Hackers expose personal details of 10 million MGM hotel guests
russia hotel wi fi hack hacking hacker lifestyle pc keyboard

A major security breach has hit MGM Resorts hotels after the personal details of 10.6 million guests were posted on a hacking forum this week.

The stolen data belongs not only to regular tourists but also to celebrities, tech CEOs, and government officials -- among them Twitter CEO Jack Dorsey and Canadian singer Justin Bieber.

Read more