Data protection experts reported the finding of more than 7 million Adobe Creative Cloud user records exposed due to a database with configuration errors. The exposed implementation has already been secured.
Although no passwords or financial details were found, the database did contain really detailed information about nearly 7.5 million customers, including the list of Adobe products they use and user IDs, subscription plans, and payment background.
Bob Diachenko, dedicated to searching for
information exposed on the Internet, reported the finding of the database on
October 19. The investigator mentions that he doesn’t know if anyone had access
to this database before him. The full list of data stored in each user record
of Adobe products used
Data protection specialists mention that in the
event that a threat actor has gained access to the compromised information,
millions of Adobe users would be exposed to sophisticated spear
phishing campaigns, usually aimed at extract information from the victims’
This variant of fraud can be really harmful to
victims, because using compromised information criminals can pose as service
providers or government organizations to get victims to turn over their data
more Sensitive. At the moment there is no way to determine whether any
malicious hackers were able to access the information exposed before Adobe
secured the database, data protection experts mention.
Through a statement, Adobe mentioned that a
vulnerability related to one of its prototypes has been detected, which was
secured almost immediately. “The compromised environment hosted
information from Creative Cloud users; this issue is not related to Adobe’s
core operations,” adds the company’s message.
Comparitech, a firm that discovered the
database in collaboration with Diachenko, confirmed that Adobe received its
report and acted immediately and securing the database the same day.
Cybersecurity expert Thom Bailey says spear
phishing isn’t the only risk Creative Cloud users are exposed to. “The
above details could even serve as an access point to an organization’s
networks, from where hackers could execute malicious code, among other
activities,” the expert says.
The risk of hackers starting to deploy these
campaigns is latent, so data protection specialists at the International
Institute of Cyber Security (IICS) recommend Adobe users remain alert to the
potential occurrence of suspicious emails requesting information or directing
to external sites. Remember that companies never send emails requesting personal
data from their customers or send emails with links to third-party sites.