At least seven million people were put at risk of possible phishing campaigns after their personal data, and email addresses were exposed in an unprotected database owned by the popular graphic and digital art platform, Adobe Creative Cloud. While the researchers said that the information that was included in the database, threat actors would still be able to use the exposed data to target graphic artists and developers with phishing campaigns through their emails.
Cybersecurity researchers from Comparitech, with the help of the tech expert, Bob Diachenko, uncovered a database that contained information and account details of users of Adobe Creative Cloud applications. The team was able to determine that the said database was not protected by any form of password or encryption. This means that someone who knows how to conduct an Elastic Search would be able to get hold of the information contained by the database.
The team said that when they discovered the unprotected database on October 19, 2019, it is possible that it has been online for almost a week. Diachenko notified Adobe regarding their discovery, and the company immediately take the database online on the same day.
Adobe Creative Cloud is a centralized platform that gives users access to the set of applications and software developed by Adobe Systems. The platform offers applications like Adobe Photoshop, Adobe Lightroom, Adobe Illustrator, Adobe Premiere, and Adobe InDesign.
These applications are typically used by photographers, layout, and graphic artists, as well as web designers. The subscription service has replaced the previous single-purchase and perpetual licensing offered by Adobe on its products. By some estimates, the Adobe Creative Cloud has a total of 15 million subscribers around the world.
Nearly half or seven million users were affected by the recent data breach. Fortunately, the information included in the database did not disclose information more sensitive than email addresses. According to the blog post by Comparitech, the exposed information includes email addresses, the date when the account was created, which Adobe products they are using, the status of their subscription, and the last time they logged in to their accounts. The database was also able to tell whoever can have access to it whether the user is an Adobe ID as well as their Member ID numbers.
The researchers assured users that the database did not include passwords and credit card information. This means that the database could not be used to target users with credential stuffing and identity theft attacks.
However, researchers said that the database could potentially expose users to the risk of phishing attacks, which usually leads to more sophisticated attacks.
“The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example,” the researchers said in the blog post. “The information does not pose a direct financial or security threat. No credit cards or other payment information was exposed, nor were any passwords.”