ADOBE HAS COME CLEAN about an unsecured Elasticsearch server which contained pertinent details of some 7.5 million Creative Cloud users.

Discovered by security firm Comparitech on 19 October, Adobe fixed the issue on the day it was disclosed. Although perhaps the real question is why a server with personal data on it was left accessible via a web browser without a password.

"Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments," Adobe wrote in a blog post. We promptly shut down the misconfigured environment, addressing the vulnerability."

While Adobe is keen to point out that the breach "did not include any passwords or financial information" - caring enough to italicise the word "not" - it accidentally missed out what it did contain. So here's a full list:

Email addresses

Account creation dates

Subscribed products

Subscription statuses

Payment statuses

Member IDs

Country

Time since last login

If the user is an Adobe employee

You're welcome, Adobe.

It doesn't take a genius to figure out how this could still be problematic even without passwords or financial information. If an email address has been part of another leak and tends to reuse passwords, for example, then somebody could easily log in and take over an account. And they'd be able to pick an account that was relatively inactive, too, based on the "last login" time. That's not even getting into the spear-phishing hyjinx this could unleash.

This is all hypothetical, because Comparitech doesn't know if anybody else accessed the server while it was open. The firm isn't even sure how long it was open for, though it guesses "about a week".

"We are reviewing our development processes to help prevent a similar issue occurring in the future," Adobe concluded. So at least some good has come of this. Maybe.

In the meantime, be on the lookout for suspicious emails purporting to be from Adobe. And if you reuse passwords, for goodness' sake, stop it at once. µ