The private information of almost 7.5 million Adobe Creative Cloud users has been exposed in a new security breach. The exposed data didn't include any passwords or financial details, but did include email addresses.
The company was quick to address the issue when informed, but not before the details of its users had been exposed. While it's uncertain whether or not these details have actually made it into the public domain, it's healthy to act with a little caution.
In other words, those with an Adobe Creative Cloud subscription should be wary when checking their email, as internet scammers might have access to millions of Adobe user emails.
How Did the Security Breach Happen?
The data was left exposed and not password-protected in an online-accessible Elasticsearch database. Elasticsearch is a type of database designed for the easy hosting and management of documents and semi-structured data, making it a potential target for an opportunistic scammer.
The breach was discovered by researcher Bob Diachenko from Security Discovery and tech journalist Paul Bischoff of CompariTech on October 19. They reported it to Adobe, and Adobe's security team was able to close the breach that day.
Adobe's team then publicly addressed the breach in a blog post this week:
“Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.
[…] We are reviewing our development processes to help prevent a similar issue occurring in the future.”
What Information Was Revealed?
The data was, according to Adobe, “Creative Cloud customer information, including e-mail addresses,” but not “any passwords or financial information.”
ZDNet covered the breach and included more details about what exactly was exposed, saying it included “Adobe member IDs (usernames), country of origin, and what Adobe products [subscribers] were using” in addition to email addresses.
The fact that no passwords were exposed means that any scammers who might have stumbled upon this treasure trove would have just one scam available to them: Phishing.
Phishing refers to the act of sending out a message that pretends to be an official company email in an attempt to bait the victim into revealing their personal information. If a phisher uses these email addresses to send a convincing looking email claiming to be from Adobe, requesting payment information, it might get access to Adobe users' bank accounts. And since millions of email addresses were exposed, the phisher would only need a 0.01% response rate to defraud customer of hundreds of thousands of dollars.
How to Avoid Phishing Emails
Victims lost $29.7 million to phishing scams in 2017, according to a report from the FBI’s Internet Crime Complaint Center. It's one of the most popular types of internet crimes, and the one you're most likely to be in danger from when you open your inbox in the morning.
With the potential for your details to be out there in the hands of scammers, should you trust the next email you get from Adobe? How can you be sure it's from them?
- Check the email address — Scammers can't send email from an official account. When you see an “official” email, check that the address actually matches the company it says it's from. Any misspellings or weird domain names are huge red flags. If you're suspicious, look up all the past emails you've gotten from that address and see if they match the official communication you've received from that company.
- Check the links — Scammers want to direct you to a fake website that will ask for your personal or financial information. If the URL they want to send you to isn't an official one, don't enter your password or details.
- Get a password manager — Password managers can keep all your diverse passwords in one location, keeping you from falling back on the same easy-to-remember password again and again. That way, if you do wind up getting scammed, at least the scammers won't be able to access multiple accounts with your single-use Adobe password. And, since password managers only auto-fill your password when they recognize a website, they won't auto-fill it on a fake webpage, giving you another signal that you're in danger from a phishing attempt.
- Google it — When in doubt, look up the company to see if there are reports of a data breach or news of similar phishing attempts. You might even find the exact text of your phishing email available online, posted by another would-be victim.
- Report it — If you find a phishing email from Adobe, head over to their incident response page, where they have information about how best to report a phishing attempt. It'll help Adobe address the issue before more users are scammed.
Hopefully, these tips that can help you feel confident that you're not falling for the latest email scam.
Read more of the latest tech news on Tech.co