Adobe has pulled offline a public-facing poorly secured Elasticsearch database containing information on 7.5 million Creative Cloud customers.
The cloud-based silo was uncovered by infosec detective Bob Diachenko, who reported it to Adobe last week.
The exposed records include email addresses, account creation dates, details of products purchased, Creative Cloud subscription statuses, member IDs, countries of origin, subscription payment statuses, whether the user is an Adobe employee, and other bits of metadata.
For those out of the loop, Creative Cloud is the online successor to Adobe’s software suite of things like Photoshop, Illustrator, and Premiere. Users pay a monthly fee to access the various apps rather than buy them on CD.
The database contains pretty bog standard information about subscribers, and there were no payment card details nor passwords included, so if you were one of the 7.5 million exposed you’re probably not in any danger of fraud or the theft of Creative Cloud subscriber accounts.
However, as Comparitech editor Paul Bischoff, who worked with Diachenko to report the wayward database to Adobe, noted today, these sorts of small details could be very useful for social engineering. They may not let a thief steal your account directly, but they could be the first step toward a compromise via phishing emails.
“The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams,” Bischoff explained.
“Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.”
Source : www.theregister.com