The News: Adobe Creative Cloud database vulnerability leaves 7.5 million customer emails explosed. Data hunter Bob Diachenko and security pros at Comparitec discovered an Elasticsearch database full of customer data exposed on the internet. The unsecured database contained the email addresses of nearly 7.5 billion customers of Adobe’s Creative Cloud. Read more at Naked Security.
Adobe Creative Cloud Database Vulnerability Leaves 7.5 Million Customer Emails Exposed
Analyst Take: Another day, another company deals with a security issue. Today, that company is Adobe and about half of its Adobe Creative Cloud customer base that has to worry that their email addresses are floating about out there.
I’ll start with the good news: This unsecured database was discovered by Diachenko and Comparitec on October 19th and is thought to have been exposed for about a week. As soon as Adobe learned of the issue, it admitted the error and shut it down. The other good news is that this vulnerability did not expose passwords or payment information.
The bad news is that people are incredibly prone to phishing attacks, and these 7.5 million people are no exception. Hackers could easily use these email addresses claiming they are Adobe and asking for credential information. They could also sell the email addresses to others on the dark web who make a mighty fine living in the business of phishing.
The other bad news is that while password or payment information wasn’t accessible, other information was, including the user’s country, the Adobe products used, the account creation date and time since last login, and whether the user is an Adobe employee. Individually, maybe not a big deal, but the more information hackers have, the more easily they can exploit users. Make no mistake, it is incredibly easy to get tripped up by a well-executed phishing scheme, and that’s the danger posed here.
It doesn’t appear that Adobe users need to worry about all of their accounts, this vulnerability only affected the Adobe Creative Cloud users. If that’s you, stop what you’re doing and go set up two factor authentication. Go to Settings, select Two-step verification, make your selection from there.
I’ll close with a note to anyone at any company responsible for data in any way — data security is not something to be taken lightly, whether it’s the security of your customers, or the security of your employees. The bad guys are out there, all day, every day, trying to find a way in — that’s a reality. But we can’t make it easy for them. There’s no excuse for sloppiness when it comes to securing databases. Ever.
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.