Last week, Adobe admitted of being the victim of a serious security incident exposing the personal information of nearly 7.5 million users. The information belonged to the company’s popular Creative Cloud service.
Adobe Creative Cloud service has approximately 15 million subscribers, providing them access to a suite of popular Adobe products such as Photoshop, Lightroom, Illustrator, InDesign, Premiere Pro, Audition, After Effects, and many others.
The news was initially reported by security firm Comparitech. Comparitech partnered with security researcher Bob Diachenko to uncover the exposed database. They discovered that Adobe left an Elasticsearch server unsecured accessible on the web without any password or authentication required. The leak was plugged by Adobe after being alerted.
The official statement from Adobe reads, “Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability”.
The exposed database included details like:
- Email addresses
- Account creation date
- Which Adobe products they use
- Subscription status
- Whether the user is an Adobe employee
- Member IDs
- Time since last login
- Payment status
Adobe also admitted that the data did not include passwords, payment or financial information. Although there were no such sensitive information in the database, the consequence of such exposure can be increased possibility of targeted phishing email and scams.
“Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example,” Comparitech said. It’s therefore crucial that users turn on two-factor authentication to add a second layer of account protection.
Adobe is no stranger to data privacy problems; in October 2013, company suffered a similar kind of data breach that impacted 38 million users. Additionally, 3 million encrypted customer credit cards and login credentials for an unknown number of users were exposed.
The incident is not the only time instances of data breach headlines. In recent months, Ecuadorian, NordVPN, a popular Virtual Private Network and StockX, an online marketplace for buying and selling sneakers have had their users personal information left unprotected and exposed on the web. This clearly shows that tech companies still have a long way to go in order to achieve end to end secure networks and servers.