With the Adobe incident, the exposed user data extended to some 7.5 million accounts and the information leaked included email addresses, the Adobe products they subscribed to, account creation date, subscription and payment status, local time zone, member ID, time of last login, and whether they were an Adobe employee.
The issue was discovered by Comparitech in partnership with security researcher Bob Diachenko. It was discovered that the Elasticsearch database could be accessed without a password or any other authentication. Adobe have since taken action to secure the databse.
Although passwords and credit card details were not exposed, the extent of the data is sufficiently sensitive to present problems for Creative Cloud users, according to Mashable.
To discover more, Digital Journal caught up with Alexander García-Tobar, CEO and co-founder of Valimail. García-Tobar begins by outlining seriousness of the data breach and what cyber-criminals can potentially do with the information: “The exposure of 7.5 million Adobe Creative Cloud accounts gives cyber criminals more than enough data to commit effective phishing attacks and impersonation attempts.”
He adds that personal data is key to malicious activities going forwards: “Knowing users’ email addresses, product subscriptions, payment statuses and login updates means their social engineering attacks can be highly tailored and therefore all the more convincing.”
Based on this, García-Tobar warns that: “If successful, these attacks can lead to account takeover, identity theft and other scams.”
The consequence will be phishing campaigns and this style of cyber-attack “often follows hot on the heels of breaches like this, targeting the victims with fake security warnings that look like they came from the breached company.”
Drawing on industry knowledge, the cybersecurity expert notes that: “In fact, 83 percent of phishing emails overall are brand or company impersonations.”
In turn this presents challenges to companies, as García-Tobar notes: “CISOs and CIOs face a daunting task against a relentless wave of impersonation attacks. Sender identity-based email security solutions are a powerful defense that can help stem these attacks.”