Data of around 7.5 million Adobe Creative Cloud users exposed from Adobe unsecured server. Anyone can access it without any username/password authentication, but it has been secured now.
Adobe Creative Cloud subscription that comes in 2013 includes a variety of Adobe products access such as Illustrator, Photoshop, Lightroom, After Effects, InDesign, Premiere Pro, Audition, and many more.
Cybersecurity firm Comparitech who also uncovered 7 million student records exposed by K12.com earlier and Security researcher Bob Diachenko uncovered this Elasticsearch database earlier this month as per a report of The Hacker News.
The firm and the researcher reported the expose on October 19 to Adobe and due to the severeness of the expose, the misconfiguration gets fixed the same day.
The exposed database includes information such as
- Email addresses of users
- Account creation date
- Which Adobe products they subscribed to
- Subscription status
- Payment status
- Member IDs
- Whether the user an Adobe employee or not
- Time since the last login
The information leaked can be used against users to target phishing and scam attacks against them. Of course, the attacker can trick an estimated 15 million users and gain various other information too.
The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example. The information does not pose a direct financial or security threat. No credit cards or other payment information was exposed, nor were any passwords.Blog Post, Comparitech
While after fixing the issue, yesterday Adobe updated a blog post describing the issue and its fix as “Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.”
Users can further protect themselves by authorizing two-factor authentication and by not providing information to any unknown E-mail or website pretending to be of Adobe.