Adobe has confirmed a security vulnerability that exposed the personal information of more than 7.5 million users, according to reports.
The vulnerability was discovered while Adobe was working on one of its ‘prototype environments’ and has left millions of customers now vulnerable to phishing attacks to capture more sensitive data.
The news was first broken by CompariTech’s Paul Bischoff, who partnered with security researcher Bob Diachenko and discovered the exposed database, and went on to report on their discovery.
“Diachenko immediately notified Adobe on October 19 and the company secured the database on the same day,” Bischoff’s report notes. “We do not know when, exactly, the database first appeared, but Diachenko estimates it was exposed or about a week. We do not know whether anyone else gained unauthorized access to the database in the meantime.”
The information accessible included email addresses, account creation date, which Adobe products were being used, subscription status, member IDs, country, payment status, time since last login and whether or not the user was an Adobe employee, according to the report.
Bischoff notes that “the information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.”
“The information does not pose a direct financial or security threat. No credit cards or other payment information was exposed, nor were any passwords,” the report says.
Adobe has since released an official statement on the data leak, saying that “at Adobe, we believe transparency with our customers is important. As such, we wanted to share a security update. Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.”
“The environment contained Creative Cloud customer information, including email addresses, but did not include any passwords or financial information.” While Adobe reassured customers that “this issue was not connected to, nor did it affect, the operation of any Adobe core products or services,” according to Adobe’s own website the Creative Cloud has been downloaded more than 300 million times.