Time to check who left their database open and leaked 7.5m customer records: Hi there, Adobe Creative Cloud!

No passwords, banking details, but enough info to convincingly phish someone

Adobe has pulled offline a public-facing poorly secured Elasticsearch database containing information on 7.5 million Creative Cloud customers.

The cloud-based silo was uncovered by infosec detective Bob Diachenko, who reported it to Adobe last week.

The exposed records include email addresses, account creation dates, details of products purchased, Creative Cloud subscription statuses, member IDs, countries of origin, subscription payment statuses, whether the user is an Adobe employee, and other bits of metadata.

For those out of the loop, Creative Cloud is the online successor to Adobe's software suite of things like Photoshop, Illustrator, and Premiere. Users pay a monthly fee to access the various apps rather than buy them on CD.

The database contains pretty bog standard information about subscribers, and there were no payment card details nor passwords included, so if you were one of the 7.5 million exposed you're probably not in any danger of fraud or the theft of Creative Cloud subscriber accounts.

However, as Comparitech editor Paul Bischoff, who worked with Diachenko to report the wayward database to Adobe, noted today, these sorts of small details could be very useful for social engineering. They may not let a thief steal your account directly, but they could be the first step toward a compromise via phishing emails.

"The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams," Bischoff explained.

"Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example."

US soldiers in the desert

Messed Western: Vuln hunters say hotel giant's Autoclerk code exposed US soldiers' info, travel plans, passwords...


As the database has since been taken offline, there is no risk of further exposure. Diachenko reckons the database was online for around a week, and there's no indication if anyone else was able to view it.

"We are reviewing our development processes to help prevent a similar issue occurring in the future," Adobe said of the exposure.

The media software giant has plenty of company in leaving a cloud database exposed.

With the advent of Shodan and other tools capable of automatically crawling large blocks of IP addresses, it has become clear that there are millions of databases on AWS and other cloud platforms that are set to allow public access.

While most of those databases and cloud instances don't contain sensitive data, many were packed with files and information that the creators never intended to make public. Massive exposures have occurred at Veeam, the Mexican government and the RNC all thanks to misconfigured machines.

Admins and developers are advised to always make sure their machines are configured to only allow access to those who need it. ®

Biting the hand that feeds IT © 1998–2021