[BreachExchange] 7.5 Million Adobe Accounts Exposed by Security Blunder
Destry Winant
destry at riskbasedsecurity.com
Mon Oct 28 10:09:32 EDT 2019
https://gizmodo.com/7-5-million-adobe-accounts-exposed-by-security-blunder-1839364598
The customer records of nearly 7.5 million Adobe Creative Cloud users
were discovered by a security researcher this month in an
inadvertently exposed database which has now been secured.
The records exposed in the security mishap did not contain any
passwords or payment information, but instead offered accurate
information about millions of customers’ accounts, including which
Adobe products they use, member IDs, and subscription and payment
statuses.
Experts warn that if criminal actors acquired the data, affected Adobe
customers would face heightened risk of falling victim to
sophisticated spear-phishing attacks—scams usually aimed at acquiring
a specific individual’s payment card details or account credentials.
At time of writing, it remains unclear whether Adobe managed to
successfully secure the data before it could be stolen.
Spear-phishing, which can be very costly to their victims, typically
involves criminals masquerading as a particular service provider,
Satnam Narang, a senior research engineer at Tenable, told Gizmodo.
The aim is to trick users into believing fake company emails are
legitimate in an effort to solicit additional private information or
compromise their accounts.
“In this case, the information exposed is a gift to scammers, because
it provides them with accurate information on Adobe Creative Cloud
customers. Fortunately for these customers, their payment information
was not exposed,” Narang said. He warned, however, that scammers
“could certainly utilize this information to launch precise phishing
attacks against these customers by sending them a warning about an
issue with their subscription.”
According to Comparitech, which first broke the news on Friday, the
data was uncovered on October 19 by noted security researcher and
data-breach hunter Bob Diachenko. The pro-consumer website said it was
unclear how long the records had been exposed or if anyone else
accessed them prior to Diachenko’s discovery.
Comparitech reported the exposure included the following subscriber data:
- Email addresses
- Account creation date
- Which Adobe products they use
- Subscription status
- Whether the user is an Adobe employee
- Member IDs
- Country
- Time since last login
- Payment status
In a statement, Adobe said it “became aware” of a vulnerability
related to work on one of its prototype environments and that it
promptly secured it. “The environment contained Creative Cloud
customer information, including e-mail addresses, but did not include
any passwords or financial information. This issue was not connected
to, nor did it affect, the operation of any Adobe core products or
services,” the company said.
Comparitech confirmed in its report that Adobe reacted quickly upon
notification, securing the exposed database the same day.
“We are reviewing our development processes to help prevent a similar
issue occurring in the future,” Adobe said.
Thom Bailey, cybersecurity strategist at Mimecast, told Gizmodo that
the exposure posed not only a potential risk to individual Adobe
subscribers, but the companies that employ them as well. “With the
details that have been exposed, a well-crafted spear phishing campaign
could gain an attacker entry into an organization’s network from which
they could deliver malicious code or engage in lateral movement to
company data,” he said.
Bailey added that its more imperative than ever for companies to have
strong email security systems in place to guard against potential
phishing attacks. “If not, attackers with malicious intent could
easily break through the human firewalls of these organizations and
access even more critical information,” he said.
Adobe customers should be on the lookout for suspicious emails
directing them to log into their accounts or submit payment
information.
As a general rule, users should never click on any account-related
links they receive via email, no matter how official they may appear.
Instead, go to the Adobe website in a separate tab and resolve any
potential account issues after logging into the website directly.
Adobe also offers the ability to secure the accounts using two-factor
authentication, a security feature all users should have enabled to
help ward off attacks.
More information about the BreachExchange
mailing list