Multinational software company Adobe has suffered a data leak that exposed the account information of an estimated 7.5 million customers, according to security researcher Bob Diachenko. Those affected were subscribers to Adobe’s Creative Cloud service which provides users with access to its line of software applications which includes Photoshop, Illustrator, and After Effects, among others. This leak is the result of an unsecured and poorly implemented Elasticsearch database.
The researchers discovered the database on October 19th and notified Adobe the same day. Exposed information includes email addresses, owned products, account creation date, subscription status, account ID, country, last login date, and if the user is an Adobe employee. The database did not include any financial information or passwords. It is also unknown whether this database had been stumbled upon before researchers found and disclosed it to Adobe. Adobe released a blog post stating that” last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.” Adobe also confirmed that the data did not include any passwords or financial information.
This is not the first time Adobe has been careless about how user information is stored. In 2013, Adobe suffered a major data breach that affected at least 38 million users but could have affected up to 150 million. This 2013 breach also resulted in the loss of password data as well as stolen source code for several Adobe products. Analysis of this breach found that Adobe was improperly storing passwords, allowing for many of the most common passwords to be guessed. At the time, the 2013 breach was considered one of the worst data breaches to have occurred.
While the leaked data may seem unalarming, it may still be a cause for concern. Using the leaked data, a malicious actor could create a very targeted phishing campaign. Typically, phishing emails are sent to a wide range of individuals, and because of this tend to not include information relevant to the recipient. However, using this data an individual could use details such as first and last name, account number, subscription status, and last login date to create a very convincing phishing email. While, as previously stated, it is unknown as to whether this information was found by anyone else, users should still be aware of possible phishing emails containing Adobe account information.
Sources
• https://thehackernews.com/2019/10/adobe-database-leaked.html
• https://securityaffairs.co/wordpress/92986/breaking-news/adobe-creative-cloud-data-leak.html11