Earlier this month, Adobe was the victim of a serious security incident that exposed the personal information of nearly 7.5 million users belonging to the company’s popular Creative Cloud service.
According to security firm Comparitech, the software giant left an Elasticsearch server unsecured that was accessible on the web without any password or authentication required. The leak, which was discovered on October 19, was plugged by Adobe immediately after it was alerted of its existence.
“Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability,” the company said.
The exposed database included details like email addresses, account creation dates, subscribed products, subscription statuses, payment statuses, member IDs, country of origin, time since last login, and whether they were Adobe employees or not.
With an estimated 15 million subscribers, Adobe Creative Cloud is a monthly subscription service that gives users access to a suite of popular Adobe products such as Photoshop, Lightroom, Illustrator, InDesign, Premiere Pro, Audition, After Effects, and many others.
Although there were no passwords or financial information in the database, the consequence of such exposure is the increased possibility of targeted spear phishing email attacks.
“Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example,” Comparitech said. It’s therefore crucial that users turn on two-factor authentication to add a second layer of account protection.
The incident is not the only time instances of leaky servers have drawn headlines. In recent months, Ecuadorian and Russian citizens, and US government personnel have had their personal info left unprotected on Elasticsearch servers, underscoring that there’s still a long way to go when it comes to cloud security.