Adobe Creative Cloud has over 15 million subscribers. The monthly subscription service allows access to the suite of Adobe products including Photoshop, Lightroom, InDesign, Illustrator, Premier Pro, Audition, After Effects, and others. The exposed database suggests that Adobe left 7.5 million records exposed to the internet. Security researcher Bob Diachenko and Comparitech uncovered the exposed database.
The company had left the data of issuers on publicly accessible server. The researchers found an Elasticsearch database that contained data of Adobe Creative Cloud users. Anyone with the access to internet could easily view the data without any requiring authentication.
The unprotected server contained 7.5 million user records. The data included personal information of individuals including email addresses, member ID, country, date of creation, subscription and payment status. The data also describes what products that the user has subscribed to and the last data of login.
Comparitech’s report states,
“The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.”
The researchers notified Adobe on October 19, 2019. The company immediately secured the database on the same day. However it is not confirmed whether anybody else has accessed the database when it was available.
This is not the first time Adobe is in news for data privacy problems. Adobe suffered the massive data leak impacting 38 million users in October 2013. The attacks due to cloud misconfiguration continue to make headlines. Organisations need to rework on priorities and follow a security-first approach.