Creative software giant Adobe has admitted to accidentally exposing the details, basic though they were, of just under 7.5 million Creative Cloud accounts.
The accidental leak occurred when an Elasticsearch database was left connected to the internet without any password protection.
The vulnerable database was discovered on October 19 by security researcher Bob Diachenko at Security Discovery and tech journalist Paul Bischoff of CompariTech Ltd.
Upon discovery of the database, Diachenko notified Adobe immediately, who responded by securing the database on the same day. Unfortunately, it is estimated the database had been unsecured and online for at least a week.
What information was leaked?
While no passwords or detailed payment information were leaked, the list of compromised data is as follows:
- Email addresses
- Date of account creation
- Subscription status
- List of used Adobe products
- Member IDs
- Whether or not the user is an Adobe employee
- Country of residence
- Last login time
- Payment status
Watch out for Spear-Phishing attacks
Phishing Tackle warns all Creative Cloud users to be especially vigilant with regard to emails claiming to originate from Adobe.
The information available could easily be used to create highly targeted spear-phishing campaigns towards Adobe Creative Cloud users. Social engineers work very hard to convince targets of their authenticity and this information could be all they need to succeed.
Prevention is always better than cure when it comes to phishing attacks and one of the most effective protective measures users can take is to educate themselves on what to look for in a phishing email. We’ve put together a neat poster detailing some key points to look for when looking at emails and we strongly encourage all our readers to look into further education in the form of Security Awareness Training.
At Phishing Tackle, we believe this should not cost the earth, check out our cost-calculator to see truly how affordable Security Awareness training can be. The cost of a successful phishing attack puts a huge number of organisations out of business every year and with regular training you can drastically minimise this risk.
Your users are the first and last line of defence, and it’s up to you to make sure they are capable of dealing with such attacks before, not after, they happen.