The data of nearly 7.5 million Adobe Creative Cloud users have been exposed courtesy of an Elasticsearch database without a password.
The data included users' email addresses, the Adobe products they use, subscription status and member IDs. Payment status was also part of the exposed data but payment details and passwords were not included in the breach that was uncovered by security researcher Bob Diachenko and tech website Comparitech.
While the compromised data doesn't pose a financial or security threat, the data that was left exposed could be used in, among other things, phishing scams. It's even possible that cyber criminals could take on the role of Adobe or one of its employees and scam users into giving up further information.
It's unknown if anyone accessed the database before it was uncovered, or how long it had been exposed, but Diachenko estimates it was 'open' for around a week.
Diachenko contacted Adobe as soon as the breach was uncovered - October 19 - and the company secured the problem the same day. On October 25, Adobe released a statement: "We became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability."
