The U.S. multinational computer software company Adobe has suffered a serious security breach earlier this month that exposed user records’ database belonging to the company’s popular Creative Cloud service.
With an estimated 15 million subscribers, Adobe Creative Cloud or Adobe CC is a subscription service that gives users access to the company’s full suite of popular creative software for desktop and mobile, including Photoshop, Illustrator, Premiere Pro, InDesign, Lightroom, and many more.
What happened? — Earlier this month, security researcher Bob Diachenko collaborated with the cybersecurity firm Comparitech to uncover an unsecured Elasticsearch database belonging to Adobe Creative Cloud subscription service that was accessible to anyone without any password or authentication.
How many victims? — The inadvertently exposed database, which has now been secured, contained personal information of nearly 7.5 million Adobe Creative Cloud user accounts.
What type of information was exposed? — The exposed information included Creative Cloud users’:
- Email addresses
- Account creation date
- The Adobe products they subscribed to
- Subscription status
- Payment status
- Member IDs
- Time since the last login
- Is the user an Adobe employee
What might attackers have achieved? — Since the misconfigured cloud database did not include any password or financial information such as credit card numbers, the exposed data is severe enough to expose Adobe CC users to highly targeted and convincing phishing attacks.
How Adobe addressed the security breach? — Diachenko discovered the exposed database and immediately notified Adobe on October 19.
The company responded to the security incident swiftly and shut off public access to the database on the same day, according to a blog post published by Adobe on Friday.
However, it’s still unclear how long the database containing records of 7.5 million Adobe Creative Cloud users was exposed before the researcher discovered it.
What users should do? — It’s unknown if the database had been unauthorizedly accessed by anyone else before the researcher discovered it, but in case they discovered it, users should mainly be suspicious of phishing emails, which are usually the next step of cyber criminals in an attempt to trick users into giving up further details like passwords and financial information.
Though the database did not expose any financial information, it is always a good idea to be vigilant and keep a close eye on your bank and payment card statements for any unusual activity and report to the bank, if find any.
Adobe also offers two-factor authentication that users should enable to help them secure their accounts with an additional layer of security.