In another infamous chapter for data breaches, Adobe reported to its client base that there was an important exposure that affected almost 7.5 million Creative Cloud customers. The cyberattack aimed at an unsecured database that contained sensitive user data.
It wasn’t even Adobe that detected the data breach but a third party dedicated to cybersecurity. What does it mean that a highly-important, omnipresent company like Adobe fails to secure its users’ private data?
At My IT Guy, our team of cybersecurity experts believes that it’s important for our base of readers to understand the implications of such attacks. Everyone can be a victim and yes, malicious parties are the ones to blame. Nonetheless, every single business is responsible for the security mechanisms in place.
The Finding
In October, Bob Diachenko and the security company Comparitech found through in-depth analysis that an unsecured Elasticsearch database was exposed. According to the report, the exposure of this database lasted around a week, which was enough time for malicious agents to access and steal data.
The exposed database included email addresses, account creation date, products used, subscription status, physical addresses, payment status, and a few other details. As mentioned before, 7.5 million users were affected by this breach, which currently represents half of the Creative Cloud’s customer base.
Admitting the Error
Adobe went out to admitting the whole situation, also stating as clearly as possible that no financial data was included in the breach. Official sources told that the unsecured database didn’t include this type of information and that more sensitive information related to payment was secured elsewhere.
However, Comparitech stated that this information has huge potential to elaborate and facilitate phishing attacks. By itself, malicious parties will not be able to profit from the exposed data yet it can be incredibly valuable to craft highly-effective phishing attacks. By using real information, it becomes significantly easy to deceive users and commit fraud in different forms.
The software company promised that despite the magnitude of the leak, users are no in serious risk and that regular service operations will continue as usual.
Repeating the Same Mistakes
Adobe is another company to join the long list of organizations affected by unsecured databases. In the past year, we have seen how unsecured MongoDB databases were simply left in the open, set for cybercriminals to profit.
While 7.5 million users don’t represent a minor number, in 2019 we saw how a few high-profile breaches led to the exposure of more than 500 million users’ private data. Both Diachenko and the Comparitech firm have been active and effective enough to spot a few of these exposed databases and report the vulnerabilities publicly.
At My IT Guy, we believe that misconfiguration and neglect are leading causes in these serious breaches. Our clients already understand the importance of properly configured servers and databases, securing their users’ private data and being fully compliant with the competent authorities at the same time.