Adobe has become the latest company to be caught leaving an Elasticsearch database full of customer data exposed on the internet.
Discovered on 19 October by data hunter Bob Diachenko and security company Comparitech, the unsecured database contained the email addresses of nearly 7.5 million customers of Adobe’s Creative Cloud, plus the following:
- Account creation date
- Adobe products used
- Subscription status
- Whether the user is an Adobe employee
- Member IDs
- Time since last login
- Payment status
That’s the email addresses of around half of Creative Cloud’s customer base although not, importantly, any of their passwords or payment information. Nevertheless, said Comparitech, spelling out the risk of phishing attacks:
Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.
Judging from clues in the data, Diachenko believes it might have been exposed for around a week. It’s not possible to tell whether anyone else accessed the data during this time.
You’ve heard this before
Adobe secured the database on the same day it was told and has since issued a brief statement admitting the security error:
Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.
And by way of scant reassurance:
This issue was not connected to, nor did it affect, the operation of any Adobe core products or services.
That sounds like Adobe’s way of saying that the operation of user accounts was not affected.
Resetting an Adobe account on the basis of this breach is probably not necessary and wouldn’t in any case protect against subsequent phishing attacks.
A better idea is to make sure that extra authentication has been enabled in the account settings by going to Change Password > Two-step verification. Choose from SMS text messages or an app-generated code).
Diachenko and Comparitech has a track record of uncovering exposed databases, including in August a MongoDB database belonging to a Mexican publisher, another in May containing the records of 275 million Indians, and an Elasticsearch database in November 2018 containing details of 57 million Americans.
It all goes to show that while the data hackers are a known risk, the companies whose job it is to tend data can be just as big a problem.