No announcement yet.

Adobe leaks half of its cloud user data


  • Adobe leaks half of its cloud user data

    Last week, security researchers discovered a database that could be accessed without the use of a password, the leak was patched on the same day.


    Nearly 7.5 million Adobe Creative Cloud user records were left exposed to anyone with a web browser, including email addresses, account information, and which Adobe products they use.

    Comparitech partnered with security researcher Bob Diachenko to uncover the exposed database. The Elasticsearch database could be accessed without a password or any other authentication.

    Diachenko immediately notified Adobe on October 19 and the company secured the database on the same day.

    Timeline of the exposure

    Upon discovering the exposed data, Diachenko immediately took steps to notify Adobe.
    • October 19, 2019 – Security researcher Diachenko discovered the exposed data and immediately notified Adobe.
    • October 19, 2019 – Adobe secured the instance.

    We do not know when, exactly, the database first appeared, but Diachenko estimates it was exposed for about a week. We do not know whether anyone else gained unauthorized access to the database in the meantime.

    What information was exposed?

    The exposed user data wasn’t particularly sensitive, but it could be used to create phishing campaigns that target the Adobe users whose emails were leaked. The following user data was included:
    • Email addresses
    • Account creation date
    • Which Adobe products they use
    • Subscription status
    • Whether the user is an Adobe employee
    • Member IDs
    • Country
    • Time since last login
    • Payment status

    The data did not include payment information or passwords.

    Dangers of exposed data to Adobe Creative Cloud users

    The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.

    The information does not pose a direct financial or security threat. No credit cards or other payment information was exposed, nor were any passwords.


    Comparitech conducts security research that entails scanning the web for exposed databases. When we uncover a database that hasn’t been properly secured and allows unauthorized access, we immediately notify the owner.

    Our aim is to mitigate potential harm to end users. Bob Diachenko leans on his extensive cybersecurity experience to quickly uncover breaches, analyze the data, and track down the responsible organization.

    Once the database has been secured, we write a report like this one to help notify affected users and make them aware of the risks. We hope our work can make users safer and limit abuse by malicious parties.


    Thoughts: While it is not a serious at the previous leak back in 2013 that had payment information, it is a kind reminder to change your credentials every so often. I am still using CS4 so this doesn't affect me at all.

      Posting comments is disabled.



    Article Tags


    Latest Articles