The basic customer details of nearly 7.5 million Adobe Creative Cloud users were exposed on the internet inside an Elasticsearch database that was left connected online without a password.
The exposed details primarily included information about customer accounts, but not passwords or financial information.
Exposed user details included email addresses, Adobe member IDs (usernames), country of origin, and what Adobe products they were using. Other information also included account creation date, the last date of their login, whether the account belonged to an Adobe employee, and subscription and payment status.
This data was found last week, on Saturday, October 19, by security researcher Bob Diachenko from Security Discovery and Paul Bischoff, a tech journalist for CompariTech.
The two notified Adobe's security team[1], who secured the server on the same day.
Diachenko and Bischoff lauded Adobe for their quick response and admitted that the data leak was not as severe as other leaks they've found in the past at other companies, as it did not contain passwords, payment data, or even something as basic as customer names.
Spear-phishing warning
However, it is unclear if someone else also accessed this database and downloaded its content. The data inside could be used to send spam to users who had their email addresses exposed.
Specifically, hackers could target owners of active Adobe premium accounts with phishing emails to hijack high-value Creative Cloud accounts from owners, which they can later re-sell online, on specialized dark web markets.
For its part, Adobe admitted to the leaky server[2] in a blog post last night, Friday, October 25.
The cloud-based software company blamed the incident on a