Data protection experts reported the finding of more than 7 million Adobe Creative Cloud user records exposed due to a database with configuration errors. The exposed implementation has already been secured.
Although no passwords or financial details were found, the database did contain really detailed information about nearly 7.5 million customers, including the list of Adobe products they use and user IDs, subscription plans, and payment background.
Bob Diachenko, dedicated to searching for information exposed on the Internet, reported the finding of the database on October 19. The investigator mentions that he doesn’t know if anyone had access to this database before him. The full list of data stored in each user record includes:
- Email address
- Account creation date
- List of Adobe products used
- Subscription status
- Member ID
- Login registration
- Payment status
Data protection specialists mention that in the event that a threat actor has gained access to the compromised information, millions of Adobe users would be exposed to sophisticated spear-phishing campaigns, usually aimed at extract information from the victims’ payment cards.
This variant of fraud can be really harmful to victims, because using compromised information criminals can pose as service providers or government organizations to get victims to turn over their data more Sensitive. At the moment there is no way to determine whether any malicious hackers were able to access the information exposed before Adobe secured the database, data protection experts mention.
Through a statement, Adobe mentioned that a vulnerability related to one of its prototypes has been detected, which was secured almost immediately. “The compromised environment hosted information from Creative Cloud users; this issue is not related to Adobe’s core operations,” adds the company’s message.
Comparitech, a firm that discovered the database in collaboration with Diachenko, confirmed that Adobe received its report and acted immediately and securing the database the same day.
Cybersecurity expert Thom Bailey says spear phishing isn’t the only risk Creative Cloud users are exposed to. “The above details could even serve as an access point to an organization’s networks, from where hackers could execute malicious code, among other activities,” the expert says.
The risk of hackers starting to deploy these campaigns is latent, so data protection specialists at the International Institute of Cyber Security (IICS) recommend Adobe users remain alert to the potential occurrence of suspicious emails requesting information or directing to external sites. Remember that companies never send emails requesting personal data from their customers or send emails with links to third-party sites.