The customer records of nearly 7.5 million Adobe Creative Cloud users were discovered by a security researcher this month in an inadvertently exposed database which has now been secured.
The records exposed in the security mishap did not contain any passwords or payment information, but instead offered accurate information about millions of customers’ accounts, including which Adobe products they use, member IDs, and subscription and payment statuses.
Experts warn that if criminal actors acquired the data, affected Adobe customers would face heightened risk of falling victim to sophisticated spear-phishing attacks—scams usually aimed at acquiring a specific individual’s payment card details or account credentials. At time of writing, it remains unclear whether Adobe managed to successfully secure the data before it could be stolen.
Spear-phishing, which can be very costly to their victims, typically involves criminals masquerading as a particular service provider, Satnam Narang, a senior research engineer at Tenable, told Gizmodo. The aim is to trick users into believing fake company emails are legitimate in an effort to solicit additional private information or compromise their accounts.
“In this case, the information exposed is a gift to scammers, because it provides them with accurate information on Adobe Creative Cloud customers. Fortunately for these customers, their payment information was not exposed,” Narang said. He warned, however, that scammers “could certainly utilize this information to launch precise phishing attacks against these customers by sending them a warning about an issue with their subscription.”
According to Comparitech, which first broke the news on Friday, the data was uncovered on October 19 by noted security researcher and data-breach hunter Bob Diachenko. The pro-consumer website said it was unclear how long the records had been exposed or if anyone else accessed them prior to Diachenko’s discovery.
Comparitech reported the exposure included the following subscriber data:
- Email addresses
- Account creation date
- Which Adobe products they use
- Subscription status
- Whether the user is an Adobe employee
- Member IDs
- Time since last login
- Payment status
In a statement, Adobe said it “became aware” of a vulnerability related to work on one of its prototype environments and that it promptly secured it. “The environment contained Creative Cloud customer information, including e-mail addresses, but did not include any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services,” the company said.
Comparitech confirmed in its report that Adobe reacted quickly upon notification, securing the exposed database the same day.
“We are reviewing our development processes to help prevent a similar issue occurring in the future,” Adobe said.
Thom Bailey, cybersecurity strategist at Mimecast, told Gizmodo that the exposure posed not only a potential risk to individual Adobe subscribers, but the companies that employ them as well. “With the details that have been exposed, a well-crafted spear phishing campaign could gain an attacker entry into an organization’s network from which they could deliver malicious code or engage in lateral movement to company data,” he said.
Bailey added that its more imperative than ever for companies to have strong email security systems in place to guard against potential phishing attacks. “If not, attackers with malicious intent could easily break through the human firewalls of these organizations and access even more critical information,” he said.
Adobe customers should be on the lookout for suspicious emails directing them to log into their accounts or submit payment information.
As a general rule, users should never click on any account-related links they receive via email, no matter how official they may appear. Instead, go to the Adobe website in a separate tab and resolve any potential account issues after logging into the website directly.
Adobe also offers the ability to secure the accounts using two-factor authentication, a security feature all users should have enabled to help ward off attacks.
Update, 5:20pm: Adobe confirmed the incident in an email to Gizmodo. We’ve added a brief statement from the company above.