With an estimated 15 million subscribers, Adobe Creative Cloud or Adobe CC is a subscription service that gives users access to the company's full suite of popular creative software for desktop and mobile, including Photoshop, Illustrator, Premiere Pro, InDesign, Lightroom, and many more.
What happened? — Earlier this month, security researcher Bob Diachenko collaborated with the cybersecurity firm Comparitech to uncover an unsecured Elasticsearch database belonging to Adobe Creative Cloud subscription service that was accessible to anyone without any password or authentication.
How many victims? — The inadvertently exposed database, which has now been secured, contained personal information of nearly 7.5 million Adobe Creative Cloud user accounts.
What type of information was exposed? — The exposed information included Creative Cloud users':
- Email addresses
- Account creation date
- The Adobe products they subscribed to
- Subscription status
- Payment status
- Member IDs
- Time since the last login
- Is the user an Adobe employee
What might attackers have achieved? — Since the misconfigured cloud database did not include any password or financial information such as credit card numbers, the exposed data is severe enough to expose Adobe CC users to highly targeted and convincing phishing attacks.
"The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams," Comparitech said in a blog post. "Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example."
How Adobe addressed the security breach? — Diachenko discovered the exposed database and immediately notified Adobe on October 19.
Discover the Hidden Dangers of Third-Party SaaS Apps
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
The company responded to the security incident swiftly and shut off public access to the database on the same day, according to a blog post published by Adobe on Friday.
"Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability," Adobe said.
"This issue was not connected to, nor did it affect, the operation of any Adobe core products or services. We are reviewing our development processes to help prevent a similar issue occurring in the future."
However, it's still unclear how long the database containing records of 7.5 million Adobe Creative Cloud users was exposed before the researcher discovered it.
What users should do? — It's unknown if the database had been unauthorizedly accessed by anyone else before the researcher discovered it, but in case they discovered it, users should mainly be suspicious of phishing emails, which are usually the next step of cyber criminals in an attempt to trick users into giving up further details like passwords and financial information.
Though the database did not expose any financial information, it is always a good idea to be vigilant and keep a close eye on your bank and payment card statements for any unusual activity and report to the bank, if find any.
Adobe also offers two-factor authentication that users should enable to help them secure their accounts with an additional layer of security.