Due to a configuration error, Adobe’s Elasticsearch database can be connected without a password. This problem caused the basic information of nearly 7.5 million Adobe Creative Cloud users to be exposed on the Internet. This information primarily includes account information, including user IDs, countries, email addresses, and Adobe products used by users, as well as account creation dates, last login dates, whether users are Adobe employees, and subscription and payment status. How ever, these databases do not include passwords or financial information.
On October 19th, Security Discovery expert Bob Diachenko and CompariTech technical journalist Paul Bischoff discovered the leaked data. The two notified Adobe’s security team, which maintained the server on the same day. This time the data leak is not as serious as it was found in other companies in the past because it does not contain passwords, payment data, or even the user’s real name. However, it is unclear whether other people have also accessed the database and downloaded these databases. It is possible for a hacker to send phishing emails to users who have exposed their email address and steal the user’s Creative Cloud account for dark network sales.
Adobe responded to the incident in a blog post on October 25 and said the incident was caused by a configuration error that caused the server to be exposed to the Internet.