Adobe exposed data on 7.5 million users and employees and one expert says the incident highlights why production data shouldn't be used in test environments.
Adobe is the latest organization to accidentally expose customer data in a test environment.
The Adobe exposure involved an ElasticSearch database, which could be accessed without authentication, that contained nearly 7.5 million Adobe Creative Cloud account records in the database, including email addresses, member IDs, country, subscription and payment status and whether or not the user was an Adobe employee. Security researcher Bob Diachenko first discovered the exposure on Oct. 19 and immediately reported it to the vendor.
The Adobe exposure was first reported by Comparitech, a technology review site that partnered with Diachenko on the discovery. Adobe secured the exposed database the same day, but it is unclear if any data was accessed.
"At first, nothing indicated it would be an Adobe-related cluster (not the IP nor reverse DNS or collection name), but when I started to analyze the samples for verification purposes, I confirmed it," Diachenko wrote in a Twitter message to SearchSecurity.
Brad Keller, CSO and senior vice president at Shared Assessments, a risk management firm based in Santa Fe, N.M., told SearchSecurity the data distinguishing consumers and Adobe employees means a malicious actor could "more specifically target the employees with future phishing attacks."
A security update from Adobe's Communications Team on Oct. 25 that the exposure was "related to work on one of our prototype environments." The update also said the environment was "misconfigured," though it did not explain how.
Production data should never be used in development or test environments.
Brad KellerCSO and senior vice president, Shared Assessments
The communications team also said the update was posted because the company "believe[s] transparency with our customers is important." However, the update was not as detailed about the data included in the exposure as the research from Diachenko; it did not mention how long the data was exposed or if there was evidence of unauthorized access (Diachenko estimated the Adobe exposure lasted for about one week); and, Adobe did not say if the affected users were contacted directly.
When SearchSecurity asked why real customer data was used in a prototype environment or if the affected Adobe employees would receive extra security, Adobe did not answer and only directed SearchSecurity to the posted statement.
The Adobe exposure follows closely after Imperva admitted a breach of a testing environment led to unauthorized access to customer data. Keller said this practice is inherently risky.
"Production data should never be used in development or test environments," Keller said. "Exceptions exist only in those instances where real data formats are required, but in those cases real data must at least be anonymized."
