Security researchers discovered an unsecured Adobe Creative Cloud Elasticsearch database that exposed nearly 7.5 million user records.
Researcher Bob Diachenko in partnership with Comparitech uncovered the exposed database that could be accessed without any password or user authentication.
Diachenko immediately reported the issue to Adobe on October 19 and Adobe addressed the issue on the same day. The researchers estimate the database instance may have been exposed up to a week.
Although no payment card data or passwords were exposed, the following data elements were discovered according to the Comparitech report:
- Email addresses
- Account creation date
- Which Adobe products they use
- Subscription status
- Whether the user is an Adobe employee
- Member IDs
- Time since last login
- Payment status.
As a result, fraudsters could use the data for future phishing campaigns that target Adobe Creative Cloud customers. However, there has been no evidence of any other unauthorized access to the data in the mean time.
Adobe later published a statement on October 25 and stated they were “aware of a vulnerability related to work on one of our prototype environments.” The company also confirmed no passwords were impacted. In addition, no accounts related to core Adobe products or services were impacted.
For steps to help secure Elasticsearch data, readers can check out these security guidelines. The guidance includes user password protections, encrypting communications, role-based access control, IP filtering and auditing.