Adobe accidentally exposed private details of over 7 million Creative Cloud accounts to the public, putting members at risk of targeted phishing scams.
The problem was first reported by Comparitech who discovered (in partnership with security researcher Bob Diachenko) that the account details were exposed in a database that anyone could access via a browser without any password or authentication.
Account data includes email addresses, account creation date, Adobe products used, subscription status, if user is an Adobe employee, member ID, country, last login time and payment status. Things like payment details and account passwords were not exposed to the database.
Diachenko immediately notified Adobe on October 1[ads1]9 of the problem, which he estimates was present for about a week, and the database was secured the same day. It is currently unknown whether the database was opened by third parties while it was exposed.
Adobe confirmed the details of the "vulnerability" in a security update posted on the site:
At Adobe, we believe transparency with our customers is important. As such, we wanted to share a security update.
Late last week, Adobe became aware of a vulnerability related to work in one of our prototype environments. We immediately closed the misconfigured environment and addressed the vulnerability.
The environment contained Creative Cloud customer information, including email addresses, but did not include passwords or financial information. This issue was not connected, nor did it affect the operation of Adobe's core products or services.
We are reviewing our development processes to prevent a similar problem from arising in the future.
“The exposed user data was not very sensitive, but it could be used to create phishing campaigns that target Adobe users if email messages were leaked, Comparitech notes. "Fraudsters can pose as Adobe or a related company and trick users into releasing additional information, such as passwords, for example."
Adobe incurred another major data breach in 2013 that exposed credit cards and login information to an unknown number of users in a data breach that affected at least 38 million users and possibly up to 150 million .
If you are a subscriber to Adobe Creative Cloud, keep an eye out for emails purporting to be from Adobe and double check that they are actually from the company before responding or acting in any way.
(via Comparitech via Mashable)
Image credits: Lock icon in SimpleIcon headline illustration and licensed under CC BY 3.0