fbpx

DIY Photography

Hacking Photography - one Picture at a time

Search

Submit A Story

Adobe data breach exposed almost 7.5 million Creative Cloud accounts to the public

by 24 Comments

Adobe was recently hit with a massive data breach, exposing nearly 7.5 million Creative Clouds accounts to the public. Reportedly, a database containing sensitive user info was easily accessible to anyone through a web browser.

 

According to Mashable, security researcher Bob Diachenko and Comparitech were the first to discover the database. It contained the data for almost 7.5 million Creative Cloud accounts, including the following: email addresses, the Adobe products they are subscribed to, account creation date, subscription and payment status, local time zone, member ID, time of the last login, and whether they were an Adobe employee.

Comparitech claims that Diachenko discovered the open database on 19 October and reach out to Adobe immediately. Adobe acted promptly to address the issue and they secured the database on the same day. After securing the database, Adobe issued a statement regarding the data breach:

“At Adobe, we believe transparency with our customers is important. As such, we wanted to share a security update.

Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.

The environment contained Creative Cloud customer information, including e-mail addresses, but did not include any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services.

We are reviewing our development processes to help prevent a similar issue occurring in the future.”

Diachenko believes the data was left exposed for about a week, according to Mashable. However, it’s just an assumption. It’s not clear when the database first became publicly accessible or if there was any unauthorized access before it got secured.

Luckily, no passwords or credit card numbers were listed in the breached database. However, the other personal data can still be misused and used for phishing scams. Therefore, be sure to pay attention to any suspicious emails in the future that claim to be from Adobe or their employees and be careful with whom you share any personal information or details about your CC subscription.

[via Mashable]

Related posts:

Adobe will no longer support Windows 7 in the next major Creative Cloud update Adobe After Effects now has content-aware fill which lets you remove objects from videos Using older Adobe CC apps could get you sued, Adobe warns Adobe has deactivated all Venezuelan Creative Cloud accounts in response to Presidential order

  • Thanks for the info.

  • Thanks

  • …again? Didn’t they learn from the last massive breach…

    • This is why I have 59 email accounts. If my Adobe account starts spewing spam, I’ll kill it and put Adobe on a new account. That way no other accounts will be hacked.

    • Michele Peterson Yeah well I can easy use an alias and kill it again, but that isn’t the point. Sensible data needs responsible behaviour on the side that wants me to trust it with that.

  • again?!

  • I don’t care that much about these data breaches.
    But it made me think…

    7.5 million accounts … with roughly $10 per subscription, it’s 75 Million USD per month. It should be possible to hire a few beta testers and provide new versions that don’t turn your computer into a completely useless piece of electronics.

    Just sayin’.

    • Stefan Kohler the question is how much of these accounts are still active. OK even if it’s 10 % it’s still 7.5 mills a month…

      • Piotr

        Even if they are no longer active, you can run a phishing campaign using that data, along the lines of “Your subscription has been renewed, if this is a mistake cancel using this link within 24 hours” and then show a “please update your billing information to proceed” type form.

        But depending on how they define “Creative Cloud Account”, the breach might also include dummy accounts without an active subscription from people who were forced into signing up for an Adobe ID when downloading Adobe Reader so Adobe could spam them with email marketing.

        But what worries me more than the data leaked in the actual breach is how they could be so unprofessional as to use real live customer data in a “prototype environment”. That’s the equivalent of testing if the insulation material used in your house is fireproof by setting your actual house on fire instead trying with a small material sample.

    • Piotr

      $10 is just for the photography bundle, most people (me included) are actually paying them a lot more than $10 a month.

      That being said, Photoshop, despite all its bloat, is one of the most stable and bug-free pieces of software for me. I couldn’t say the same about LR Classic or Premiere, though.

    • JarFil

      Adobe is a publicly traded company, you can check their financial reports. They’re making closer to $250M/month.

      https://news.adobe.com/press-release/corporate/adobe-reports-record-revenue-8

  • Thanks for notifying me Adobe. Why couldn’t I hear it from you versus seeing it on Facebook?

  • Piotr

    That’s not the first time something like this happens, they also had a breach a few years ago where massive amounts of credit card numbers (mine included) were leaked. From an IT security point of view, it’s only a matter of time until photos stored in the Lightroom cloud service or files uploaded using the CC File Sync and CC Libraries feature will be leaked.

    I think only few photographers and other creatives are aware of the risk that using services like these brings (not just Adobe’s). Imagine a photographer in a market like boudoir having to explain to their clients why their personal photos are suddenly being passed around publicly on the internet without any way to ever remove them.

    The trouble is, Adobe’s newer software more and more starts leaving out support for local workflows. For instance, LR Mobile can’t be used with images on a NAS via WiFi or VPN, only with the Adobe cloud. That’s convenient and simple for a hobbyist, but unacceptable for most professional photographers that are liable for anything that happens with their clients’ photos.

    • Renlish

      “Imagine a photographer in a market like boudoir having to explain to their clients why their personal photos are suddenly being passed around publicly on the internet without any way to ever remove them.”

      This is actually an old issue that has been happening for ages. Because many photographers are STUPID and use clients names as passwords or use extremely easy passwords to guess – like “welcome123” or “yourphotos123”. I used to trawl a forum that linked to “passworded” directories on hosted sites like SmugMug, Squarespace and Wix, not to mention the photographers own private websites. I spent a couple hours a week emailing photographers examples. None of them knew just how badly they’d let their clients down when it came to privacy. Now I just sit back and wait for the lawsuits to be reported.

      • Piotr

        If that’s true, it would explain why Adobe doesn’t care about providing cloud-less workflows for LR mobile – apparently most of their users don’t care about these things either, at least not until everything comes crashing down on them, at which point Adobe will then probably start to play catch up. I mean, apparently they are not even using end to end encryption on LR Mobile photos.

        Since it’s only account metadata that was leaked this time, we’ll have to wait a bit longer for the big bang. Hopefully it’ll happen sooner than later. But by that time we will probably have alternatives from Serif, Luminar etc. anyway. Phase One with Capture One has unfortunately been awfully quiet about a tablet versions that go beyond just looking at photos with Capture Pilot.

  • Since when have hackers become the public?

  • I had to change my credit card last time because of these fudge nuggets…
    That’s it I’m getting Affinity. Adobe can die for all I care.

    • Well, you better get rid of all your cards and go cash then. Doesn’t matter where you use your card, it is always possible to be stolen. Ain’t no such thing as a truly hack-proof system.

  • This is going to happen everywhere. There is no assurance anywhere online is safe. It is an arms race, and as soon as the defense improves, so do the weapons to break through.

    Simply live accordingly. Use good passwords, and vary between online sites. Then, when one gets broken through, it doesn’t give the thieves access to others.

  • Marko

    yet, when trying to delete my credit card info from their records, it is impossible. You have to call support, that according to some can take long to get through, and ask them to do so. Why?

    I can take my credit card number from any other service but Adobe does not let you. Bad business practice.

    • ditoiuc

      I use Revolut for online payments. You can generate a virtual credit card (VISA), use it and destroy it.

      • Marko

        Good to know. I will give it a look. Thanks.

  • There is no privacy on internet.
    It’s just someone else computer.
    One day or another, it will be out for all to see.

  • jason bourne

    Just another reason to avoid using software that’s cloud-based.

Recent Posts