Software giant, Adobe announced nearly 7.5 million users of their Creative Cloud service were exposed to hackers due to an unsecured server.
Security researcher Bob Diachenko worked with Comparitech, on October 19 to discover that the unsecured ElasticSearch server was available online without any password protection or authentication of any kind.
“The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example,” wrote Paul Bischoff, a Comparitech privacy advocate.
The leak revealed email addresses, account creation dates, subscribes, products, subscription records, payment records, and member IDs. However, the company insisted that passwords and financial information were not breached.
Adobe immediately closed the vulnerable server and released a statement on the data leak.
“Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability,” read the brief statement. “We are reviewing our development processes to help prevent a similar issue occurring in the future.”
“Phishing campaigns often follow hot on the heels of breaches like this, targeting the victims with fake security warnings that look like they came from the breached company,” said CEO and Co-Founder of Valimail, cybersecurity and anti-phishing startup Alexander García-Tobar. “In fact, 83 percent of phishing emails overall are brand or company impersonations. CISOs and CIOs face a daunting task against a relentless wave of impersonation attacks. Sender identity-based email security solutions are a powerful defense that can help stem these attacks.”
This isn’t Adobe’s first rodeo either. In October 2013, Adobe suffered a breach that affected 38 million users, where attackers stole 3 million customer IDs, encrypted passwords, along with the source code for a number of products.
Clearly more needs to be done. Despite cloud misconfigurations and attacks continuing to make headlines, recent research by Ponemon Institute shows that nearly 48% of corporate data is stored in the cloud, while 32% of organizations admit they fail to engage in a security-focused approach to data storage.