Millions of Adobe Customers Exposed in Privacy Snafu
Adobe has become the latest big name to expose customer details via a misconfigured database, after researchers discovered nearly 7.5 million accounts via an online search.
Security researcher Bob Diachenko teamed up again with Comparitech to find the Elasticsearch database, which was left online without any password protection.
That meant they could access millions of Adobe Creative Cloud customer records, which it is estimated had been exposed for around a week when the snafu was discovered on October 19.
Although the exposed information wasn’t particularly sensitive, it still contained enough details to be used in potential follow-on attacks, including: email address, account creation date, subscription status, which Adobe products used, member IDs, country and payment status.
“The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example,” wrote Comparitech privacy advocate, Paul Bischoff.
“The information does not pose a direct financial or security threat. No credit cards or other payment information was exposed, nor were any passwords.”
Adobe Creative Cloud is a set of subscription services which offer graphic design, video editing, web development, photography and other capabilities. Some estimates claim it has around 15 million users, meaning nearly half of those may have been exposed in the privacy snafu.
However, it’s nowhere near the scale of the breach suffered by the firm several years ago, when 38 million customers had to have their passwords reset following a major data theft.
To the firm’s credit, it appears to have secured the Elasticsearch instance on the same day it was informed something was wrong by Diachenko.
Adobe has something of a dubious reputation in the cybersecurity world, thanks to the persistent threat posed by vulnerabilities in its Flash product, which is now blocked by default on most browsers.
Source: Information Security Magazine