Adobe has become the latest company to be caught leaving an Elasticsearch database full of customer data exposed on the internet.
Discovered on 19 October by data hunter Bob Diachenko and security company Comparitech, the unsecured database contained the email addresses of nearly 7.5 million customers of Adobe’s Creative Cloud, plus the following:
- Account creation date
- Adobe products used
- Subscription status
- Whether the user is an Adobe employee
- Member IDs
- Time since last login
- Payment status
That’s the email addresses of around half of Creative Cloud’s customer base although not, importantly, any of their passwords or payment information. Nevertheless, said Comparitech, spelling out the risk of phishing attacks:
Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.
Judging from clues in the data, Diachenko believes it might have been exposed for around a week. It’s not possible to tell whether anyone else accessed the data during this time.