Security researchers have revealed that Adobe exposed the personal data of 7.5 million Creative Cloud subscribers to potential hackers. Fortunately, no payment details or passwords were included and the vulnerability was addressed by Adobe immediately after its discovery.
Bob Diachenko, a researcher working with Comparitech, discovered the vulnerability last week. A database listing the email address, account creation date, and subscription status was available without a password to any to anyone who could find it.
As no financial details or account passwords were part of the database, the danger to customers is relatively small, but as Comparitech notes, it makes those affected vulnerable to phishing emails as scammers could easily pose as Adobe employees who go on to request security and credit card details.
Diachenko contacted Adobe straight after discovering the vulnerability and Adobe took immediate action. It’s thought that there are 15 million subscribers to Adobe’s Creative Cloud suggesting that this database vulnerability could have affected up to half of its customers.
Both Diachenko and Comparitech have an impressive resume when it comes to discovering insecure data on the internet, having discovered an easily accessible database earlier this year that contained the personal details of 188 million people.
As yet, it appears that Adobe has not contacted its customers directly in order to advise them that their data was exposed, but it has made the following statement:
At Adobe, we believe transparency with our customers is important. As such, we wanted to share a security update.
Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.
The environment contained Creative Cloud customer information, including e-mail addresses, but did not include any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services.
We are reviewing our development processes to help prevent a similar issue occurring in the future.
You can read the response in full on the Adobe blog.