The customer records of nearly 7.5 million Adobe Creative Cloud users were reportedly discovered by a security researcher this month in an inadvertently exposed database which has now been secured.
The records reportedly exposed in the security mishap did not contain any passwords or payment information, but instead offered accurate information about millions of customers’ accounts, including which Adobe products they use, member IDs, and subscription and payment status.
Experts say the exposure of such detailed account information would place Adobe customers at a high risk of being targeted by scams—attempts to acquire payment information or account credentials—had cybercriminals managed to acquire the data. It remains unclear whether that’s the case.
Scammers often masquerade as a particular service provider, Satnam Narang, a senior research engineer at Tenable, told Gizmodo. The aim is to trick users into believing fake company emails are legitimate in an effort to solicit additional private information or compromise their accounts.
“In this case, the information exposed is a gift to scammers, because it provides them with accurate information on Adobe Creative Cloud customers. Fortunately for these customers, their payment information was not exposed,” Narang said. He warned, however, that scammers “could certainly utilise this information to launch precise phishing attacks against these customers by sending them a warning about an issue with their subscription.”
According to Comparitech, which first broke the news on Friday, the data was uncovered on October 19 by noted security researcher and data-breach hunter Bob Diachenko. The pro-consumer website said it was unclear how long the records had been exposed or if anyone else accessed them prior to Diachenko’s discovery.
Comparitech reported the exposure included the following subscriber data:
Account creation date
Which Adobe products they use
Whether the user is an Adobe employee
Time since last login
Adobe did not immediately return a request for comment. There was no statement concerning the exposure on the company’s website at the time of writing. Comparitech reported that the company reacted quickly after it was notified about the exposure and secured the database on the same day.
Adobe customers should be on the lookout for suspicious emails directing them to log into their accounts or submit payment information.
As a general rule, users should never click on any account-related links they receive via email, no matter how official they may appear. Instead, go to the Adobe website in a separate tab and resolve any potential account issues after logging into the website directly.
Adobe also offers the ability to secure the accounts using two-factor authentication, a security feature all users should have enabled to help ward off attacks.