Adobe accidentally leaked the personal details of at least 7 million Creative Cloud Accounts. Comparitech discovered and reported the leaked database on 19th October 2019. According to the report, the database lacked any password or authentication controls, meaning anyone could have accessed the data. The exposed data included email addresses, user subscription status, date the account was created, and Adobe products subscribed to. The leak also contained employee details such as payment status, country, member ID, and time and location of the last login. Bob Diachenko, a security researcher who was also involved in discovering the leak, estimated it had been public for approximately one week at the time he notified Adobe. It’s yet to be established whether there were instances of unauthorized access.
Adobe posted a security update on its website confirming the leak. Adobe stated it had been notified of a vulnerability in one of its prototype environments. It promptly shut it down to address the vulnerability. Additionally, the cloud-based company blamed a misconfiguration on the prototype environment as the cause of the vulnerability. The company also said that the environment in question contained personal information belonging to Adobe users subscribed to the Creative Cloud accounts. However, the information did not contain any financial data or passwords. As such, the exposed information was not quite sensitive. Adobe deployed a quick response by pulling the database offline.
Timeline of the database leak
Bob Diachenko partnered with Comparitech to uncover the leaked database. The database lacked any type of security measure and it was easily accessible. The security researcher reported to be unaware of the exact date the database became public.
- October 19,2019 – Comparitech and Diachenko discovered an exposed Adobe database containing Creative Cloud accounts. They immediately notified Adobe.
- October 19, 2019 – Adobe pulls down the database and immediately secures the instance.
Although the database leak was quickly contained, it is still unclear whether a fraudster had accessed it beforehand and downloaded the contents. Creative Cloud account owners whose data had been exposed are at higher risk of being targeted by spear phishing emails. Attackers could use the exposed email addresses to send spans and malware-laden links and attachments. Specifically, fraudsters could target users who have subscribed to premium accounts to attempt to hijack or compromise high-valued Creative Cloud accounts. Such accounts can be sold online at cheaper prices, or to dark web market to be used for criminal activities.
Lessons drawn from the incidence
A few lessons can be drawn from the leaked database incidence. Firstly, Adobe admitted that the exposure was as a result of a misconfiguration. The company did not provide additional details but this clearly indicates the importance of ensuring accurate configurations when interacting with any sensitive technology. Organizations should ascertain that the implemented configurations adequately address their security and operational needs. This is by replacing default configurations, including identity and access management.
Also, the incident shows the vital need of encrypting information at rest and in transit. The information in Adobe’s database lacked encryption or password security and was thus accessible by anyone. However, Adobe’s response to the incidence illustrates the benefit of rapidly responding to a breach. Had Adobe failed to rectify the situation within a few days after the leak became public, hackers could have accessed the information and used it for phishing activities
Countermeasures for preventing database leaks
Database leaks can be an expensive affair for a company. They can lead to law suits and other legal challenge if a leak affects the privacy or security of a data owner. Besides, huge leaks can cause consumers to question the security of their personal information thus causing an organization to suffer reputational damages, and potential profit losses. For these reasons, businesses should consider the following countermeasures to secure their databases from leaks:
- Password protection: Passwords provides the most basic security. Adobe and other companies need to ensure all their databases are password-protected. Password security should also feature best practices to protect against dictionary and brute force attacks. Such practices include combining upper-case and lower-case alphabets, numbers, and special symbols to create strong passwords, frequently changing the passwords, and ensuring the passwords are only accessible by trusted parties.
- Multi-factor authentication: A malicious employee with a correct password can still access the database and leak it. Companies, therefore, should implement multi-factor authentication to prevent unauthorized access. Multi-factor verifies user identity by requiring additional authentication items before accepting a password. These can be a code sent to the phones of the trusted individual, or a biometric. Multi-factor authentication ensures only people with the correct permissions can access the database.
- Data encryption: Encrypting information in a database not only secures it in the event of a leak, but also protects data during a breach or attack. As the Adobe incidence has shown, leaks can appear out of nowhere, and so can data breaches. Encryption ensures exposed information is useless unless a database is first decrypted. There are many types of encryption schemes and it shouldn’t be too hard for a business to identify one and implement it. In any case, encrypting personal information is a key requirement of the GDPR and other regulations, hence implementing it would facilitate compliance.
- Consistent backups: The leaked Adobe information dated close to a work. If the information had been stolen, Adobe users would have lost a week’s data. Businesses should hence maintain daily backups to ensure availability in case of a compromise.
- Vulnerability management: This entails identifying security weaknesses and mitigating them. A detailed vulnerability management would have enabled Adobe to identify the incorrect configuration on time before the database was leaked.
- Access management: Controlling the individuals with access to important database is an essential measure for preventing leaks. With the insider threats growing in every organization, it is prudent to implement the most efficient access management controls. Least privilege access, for instance, only grants access as per need basis, thus reducing the number of users with access permissions.