Adobe Just Exposed the Data of 7.5 Million Customers to Hackers

Adobe Just Exposed the Data of 7.5 Million Customers to Hackers

Security researchers have revealed that Adobe exposed the personal data of 7.5 million Creative Cloud subscribers to potential hackers. Fortunately, no payment details or passwords were included and the vulnerability was addressed by Adobe immediately after its discovery.

Bob Diachenko, a researcher working with Comparitech, discovered the vulnerability last week. A database listing the email address, account creation date, and subscription status was available without a password to any to anyone who could find it.

As no financial details or account passwords were part of the database, the danger to customers is relatively small, but as Comparitech notes, it makes those affected vulnerable to phishing emails as scammers could easily pose as Adobe employees who go on to request security and credit card details.

Diachenko contacted Adobe straight after discovering the vulnerability and Adobe took immediate action. It’s thought that there are 15 million subscribers to Adobe’s Creative Cloud suggesting that this database vulnerability could have affected up to half of its customers.

Both Diachenko and Comparitech have an impressive resume when it comes to discovering insecure data on the internet, having discovered an easily accessible database earlier this year that contained the personal details of 188 million people

As yet, it appears that Adobe has not contacted its customers directly in order to advise them that their data was exposed, but it has made the following statement:

At Adobe, we believe transparency with our customers is important. As such, we wanted to share a security update.

Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.

The environment contained Creative Cloud customer information, including e-mail addresses, but did not include any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services.

We are reviewing our development processes to help prevent a similar issue occurring in the future.

You can read the response in full on the Adobe blog.

Andy Day's picture

Andy Day is a British photographer and writer living in France. He began photographing parkour in 2003 and has been doing weird things in the city and elsewhere ever since. He's addicted to climbing and owns a fairly useless dog. He has an MA in Sociology & Photography which often makes him ponder what all of this really means.

Log in or register to post comments

This explains why I had a lot of failed login tries on multiple platforms. They probably tried to use my adobe password to get access to other stuff.

Please read the article.
No password where in the account dump.
"but did not include any passwords or financial information. "
So, no, it's not linked together

"The environment contained Creative Cloud customer information, including e-mail addresses...". If Navi Retlav's email address was used as his login name, that could explain his troubles.

And when trying to remove credit card info from Adobe site well, surprise, surprise, they don't allow you. You have to cancel the subscription in order to do that. Their practice should be illegal at best. No other subscription-based company is so slimy as Adobe.

Autodesk are pretty sneaky too.

I heard about them but never had to deal with them. It is too bad companies have to result to this kind of dealing.

Amazon also prooved to be sneaky. They charged my wife and me for prime subscription twice without us asking for it. They never sent an email and we just saw strange charges o our credit card. No wonder they become so rich.

Adobe subscriptions are a joke. They billed a company I worked for when they didn't even have the software installed after concluding one month usage. Adobe never cancelled the subscription and refused to refund it, had to invoke the GDPR to request all personal data and communication logs of the software installed which they finally backed down and refunded all monies. Sadly that took 12 months and two legal letters.

Is Adobe even in compliance with the GDPR?

Probably not. I doubt Adobe cares much about international laws. The problem is that the EU is so divided and there is so much infighting (as it has been for centuries) that there is not good rule of law to apply and enforce companies to comply.

Of couse you cannot remove the CC info unless you unsubscribe. That is common sense, it they delete the CC info how on earth are they going to bill you the next month? Every company that has an Auto Payment or subscription payment has your CC or bank info. If they say they don't then they are lying. Just activate your CC and banks charges notifications and Credit Bureau's notifications which are free and if anything happens you will get a timely and in most cases instant notification of charges or inquiries.

Nonsense, I pay annually. It's not the only company I have an annual sub with. When it's annually, other companies send me a reminder that my sub is about to expire.

They don't need my info, it's stupid and should be illegal.

So you pay your cable, phone and utilities, plus your credit cards annually? All of them offer and even encourage Autopay. Plus if you have Netflix, Hulu, Amazon, etc, they all charge you automatically every month, they are subscription services. If it should be illegal to have a subscription service, these services are charged monthly, need your info to do so and should all be illegal according to you.

I don't think you get it. They do not need may card info if I pay ANNUALLY.

They don't need my card info after I paid. They just have to send me a reminder when the times comes.

Adobe does not even do that. They just informed me that I just paid. Amazon does the same with Prime. There is no "your sub will be renewed in this and that date' , they just pass your card. They count on the fact that, like you, most people can't remember and they just pay.

You might be OK with that but many are not.

But that's not the point at all, is it? The fact that even when I pay annually they still do not let me take my credit card info of their server is a violation. Cut my service when due date is up and I did not renew.

7 million customers or 7 million accounts?

This is one of the dangers of cloud development.... one retarded developer spins up a database server on aws or azure, comes with a real world ip address by default and publicly accessible, doesn't bother to secure the server, copies user data on to it... There is no hacking involved... just searching around aws and azure ip space looking for default setup db servers...

Well, they are certainly living up to their transparency promise...

Pft what you doing to do about it? Move to capture 1?

Stand alone software is the only way to go. It's either they don't care to much about security or they facilitated the issue. It's only gonna get worse.

You have to buy the Stand Alone software somewhere, so your CC or Bank Card can be scanned by an employee or the retail companies database hacked. Even if you buy at Walmart or BestBuy at the store all the transactions are electronically available so they can charge the Bank or CC company. Just be safe and activate your banks and CC's charges notifications which is a free service and even the Credit Bureau's changes and inquieries notifications are free.

It's sad but it's a reality - mistakes happen - with larger consequences when they happen on the cloud. Adobe should 've taken more care - and Adobe should make it up by giving every customer at least a one year free to compensate for the harm done. Just an apology doesn't seem enough to me.
It isn't the first time Adobe makes such mistakes isn't it?