Nearly 7.5 million Adobe Creative Cloud users are left open to phishing campaigns after their records were left exposed to the internet.
Adobe Creative Cloud, which has an estimated 15 million subscribers, is a monthly service that gives users access to a suite of popular Adobe products such as Photoshop, Lightroom, Illustrator, InDesign, Premiere Pro, Audition, After Effects and others.
Comparitech partnered with security researcher Bob Diachenko to uncover the exposed database. The Elasticsearch database could be tapped without a password or any other authentication; offering an attacker access to email addresses, account information and which Adobe products that users purchased. The data did not include payment information or passwords.
The user data “wasn’t particularly sensitive,” but it could be used to create convincing phishing emails aimed at Adobe users, according to Comparitech researcher Paul Bischoff, in Friday research shared with Threatpost.
“The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams,” Bischoff noted. “Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.”
Adobe is no stranger to data privacy problems; in October 2013, Adobe suffered a breach that impacted at least 38 million users, where attackers stole 3 million customer IDs, encrypted passwords, along with the source code for a number of products.
Diachenko notified Adobe on October 19 and the company secured the database on the same day. He estimates that the database was open for about a week. It’s unknown whether malicious actors accessed the information, but hackers are increasingly scanning for open, misconfigured cloud databases, according to recent research.
And no wonder; as cloud misconfigurations and attacks continue to make headlines, enterprise views on cloud security have yet to catch up. Recent research from the Ponemon Institute shows that although nearly half (48%) of corporate data is stored in the cloud, only a third (32 percent) of organizations admit they employ a security-first approach to that data storage.