Adobe, a known name in creative cloud services, has mistakenly exposed around 7.5 million user account details. This vulnerability was brought to light by Security Researcher and Consultant Bob Diachenko and reported in the press by Paul Bischoff Tech Journalist, Privacy Advocate And VPN Expert from Comparitech.
As per Adobe’s whitepaper, most components of Creative Cloud are hosted on Amazon Web Services (AWS) which include Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Simple Storage Service (Amazon S3). The Elasticsearch database is used to store, search, and analyze large volumes of data in near real-time. Diachenko’s analysis spotted that this Elasticsearch database was left exposed as there was no password protection provided for it. The result – if people knew how to find this vulnerability, they could easily access the database through their browser and find details of 7.5 million Creative Cloud accounts at their fingertips. It was also found that this flaw was live and unnoticed for close to a week, but whether anyone else had unauthorized access to it is not known.
Diachenko reported this security flaw to Adobe on October 19 to which it responded immediately and also gave a formal update to its users through the Adobe Blog. It stated: “At Adobe, we believe transparency with our customers is important. As such, we wanted to share a security update.
Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.
The environment contained Creative Cloud customer information, including e-mail addresses, but did not include any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services.
We are reviewing our development processes to help prevent a similar issue occurring in the future.”
The good news is that the user data which was exposed did not contain payment information or passwords, but it did include info such as:
- Email address
- Account creation date
- Adobe products subscribed
- Subscription status
- Member IDs
- Time since last login
- Payment status
The only concern that Adobe now has is that if someone did lay hands on this piece of information then its users are at risk of a Phishing attack.