STE WILLIAMS

Time to check who left their database open and leaked 7.5m customer records: Hi there, Adobe Creative Cloud!

Adobe has pulled down an Elasticsearch database containing account info of 7.5 million customers that had been left open online.

The cloud instance was uncovered by data exposure detective Bob Diachenko, who reported it to Adobe last week.

The exposed accounts include email address, account creation data, products purchased, subscription status, member ID, country, last login, payment status, and whether the user is an Adobe employee.

For those out of the loop, Creative Cloud is the online successor to Adobe’s software suite of things like Photoshop, Illustrator, and Premiere. Users pay a monthly fee to access the various apps rather than buy them on CD.

The database contains pretty bog standard information and there were no payment card details or passwords included, so if you were one of the 7.5 million exposed you’re probably not in any danger of fraud or the theft of Creative Cloud subscriber accounts.

However, as Diachenko’s co-researcher and Comparitech editor Paul Bischoff notes, these sort of small details could be very useful for social engineering. They may not let a thief steal your account directly, but they could be the first step.

“The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams,” Bischoff explains.

“Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.”

US soldiers in the desert

Messed Western: Vuln hunters say hotel giant’s Autoclerk code exposed US soldiers’ info, travel plans, passwords…

READ MORE

As the database has since been taken offline, there is no risk of further exposure. Diachenko reckons the database was online for around a week and there’s no indication if anyone else was able to view it.

“We are reviewing our development processes to help prevent a similar issue occurring in the future,” Adobe said of the exposure.

The media software giant has plenty of company in leaving a cloud database exposed.

With the advent of Shodan and other tools capable of automatically crawling large blocks of IP addresses, it has become clear that there are millions of databases on AWS and other cloud platforms that are set to allow public access.

While most of those databases and cloud instances don’t contain sensitive data, many were packed with files and information that the creators never intended to make public. Massive exposures have occurred at Veeam, the Mexican government and the RNC all thanks to misconfigured machines.

Admins and developers are advised to always make sure their machines are configured to only allow access to those who need it. ®

Sponsored:
What next after Netezza?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/25/adobe_user_data_exposed/

  • 25/10/2019
  • adm
Comments are closed.