Security researchers recently discovered an unprotected ElasticSearch database that contained nearly 7.5 million data records belonging to users of Adobe Creative Cloud and could be accessed by anyone with an Internet connection.
The exposed cloud database containing data records of Adobe Creative Cloud users was discovered by security researcher Bob Diachenko on 19 October and was secured on the same day by Adobe after the company was informed about the exposure.
Information stored in the ElasticSearch database was, according to Comparitech, exposed for about a week before it was discovered. Data records in the database included email addresses, member IDs, country of origin, whether the user is an Adobe employee, which Adobe products a user has subscribed to, account creation date, payment status, subscription status, and time since last login.
Exposed data could allow hackers to carry out phishing campaigns
"The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords," said Comparitech, adding that since the data did not include payment information or passwords, the exposure did not pose a direct financial or security threat to users.
Adobe issued a press release on Friday to inform its community about the cyber incident, stating that the exposure did not impact any Adobe core products or services.
"Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.
"The environment contained Creative Cloud customer information, including e-mail addresses, but did not include any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services. We are reviewing our development processes to help prevent a similar issue occurring in the future," the company said.
People across the world have to subscribe to the Adobe Creative Cloud service in order to use a range of Adobe products such as Photoshop, Lightroom, Lightroom Classic, Illustrator, InDesign, Premiere Pro, Audition, After Effects, and others.
Companies need to follow best practices for configuration to prevent exposures
Commenting about the ElasticSearch database exposure, Stuart Sharp, VP of solution engineering at OneLogin, said that the incident illustrates the lack of controls that organisations have for controlling access to cloud services and the data they hold. Too many individuals have too much access to too many cloud services and organisations are struggling to maintain controls.
"Organisations need to constantly audit cloud services and control access and protect authentication and authorisation using a combination of Privileged Access Management and MFA," he added.
Recently, after an ElasticSearch database containing personal details of nearly 72,000 users of online dating app Heyyo was found exposed on the Internet, Warren Poschman, senior solutions architect at comforte AG, told TEISS that unsecured or misconfigured NoSQL instances continue to be prevalent as the virtual low-hanging fruit for cyber criminals.
"Instead of remaining sanguine, it’s time for organisations to face reality and act to secure their data. This starts with following best practices for configuration, something that is widely available for each platform, as well as implementing data-centric security to protect and deidentify data – something that is designed to be analytics friendly and strongly protects the data regardless of what it is stored in, who has possession of it, or whether the system or perimeter is compromised," he said.
Anurag Kahol, CTO at Bitglass, said that there are tools designed to detect abusable misconfigurations within IT assets like Elasticsearch databases – meaning it doesn't take much effort for outsiders to find unsecured databases. That is one of the reasons why abusing misconfigurations has grown in popularity as an attack vector across all industries, along with the continued carelessness of companies when it comes to cybersecurity.
He added that vulnerabilities in IT assets can pose major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation. There is no excuse for negligent security practices such as leaving databases exposed. As such, all companies, even those with limited IT resources, must take full responsibility for securing user data and should turn to flexible, cost-effective solutions that can prevent data leakage.