Is precisely why your business needs cloud security defense strategies.
Diachenko first discovered the unsecured Elasticsearch database on Oct. 19 and notified Adobe the same day, according to the report. The database was secured and password- protected a few hours later.
Bischoff and Diachenko note that the database apparently had been exposed to the internet at least for a week before it discovered; it could have been accessed with a web browser, with no password or authentication needed.
The database included email addresses, account creation dates, subscription status, whether the user is an Adobe employee or not, member IDs, country, time since last login and payment status, according to the report.
It's not clear if anyone had inappropriately accessed the data. Adobe says it's reviewing its development process to find out why this database was left unsecured.
Bischoff and Diachenko have a track record of finding other exposed databases. On Oct. 18, for example, the two published a similar report concerning an unsecured database containing 2.8 million customer records belonging to CenturyLink. The data came from a third-party notification platform used by CenturyLink.
Food For thought
Is your information secure in the cloud? Do you know where all your sensitive data lies in the cloud? Have you restricted database accessibility on a need to know basis only? Are you using strong authentication measures such as two-factor authentication, bastion hosts to restrict DevOps access in the cloud?