Adobe left with the private information of approximately 7.5 million users exposed. The exposed record included email addresses, account creation dates, subscribed products, payment statuses, member ID’s, last time since the last login, country locations, and whether the user is an Adobe employee along with many other details.
The records are exposed due to an Elasticsearch database containing the records was left connected online without a password according to ZDNet.
Although information regarding payments and password were not exposed, it still puts the subscribers on the target of phishing campaigns.
The subscribers record was easily available to anyone on the web, which was noticed by the researcher Bob Diachenko and security firm, Comparitech. The researchers immediately notified Adobe on 19th October after which Adobe secured the database on the same day.
In a post about this incident, Comparitech expressed risk of further phishing attacks, “Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords.”
Adobe Creative Cloud is an application set that gives access to subscribers, of Adobe products such as Photoshop, Lightroom, Illustrator, InDesign, Premiere Pro, Audition, After Effects, and many others, by paying a monthly fee.
A message by Adobe acknowledging this event was put up on their website:
“At Adobe, we believe transparency with our customers is important. As such, we wanted to share a security update. […] Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.”
It also said: “The environment contained Creative Cloud customer information, including e-mail addresses, but did not include any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services. We are reviewing our development processes to help prevent a similar issue occurring in the future.”
You can read more about it on Adobe official blog post here.
Adobe users should opt for extra Security Layer by enabling two-factor authentication (2FA)
Adobe users should opt for extra security layer by enabling two-factor authentication (2FA). It can be enabled in the account from Setting. Choose Change Password > Two-step verification. You can use SMS or App Generated Code options for it. This is highly recommended.
Adobe’s current exposed data is less than what was in 2013. In 2013 according to Adobe, the attackers had stolen usernames and encrypted passwords of 38 million customers. Adobe had to pay US$1.2M plus settlements. In July 2019, Capital One Financial Corp. was hacked that accidentally made private information public. There is still a long way to go for cloud security.
Featured image: Bloomberg