
7M Adobe Creative Cloud Accounts Exposed to the Public - modinfo
https://www.comparitech.com/blog/information-security/7-million-adobe-creative-cloud-accounts-exposed-to-the-public/
======
anon1m0us
> Comparitech conducts security research that entails scanning the web for
> exposed databases. When we uncover a database that hasn’t been properly
> secured and allows unauthorized access, we immediately notify the owner.

Germany, the government, does this. They routinely scan systems in Germany and
alert the owners to security issues.

I wonder if this is something _all_ governments should do. I'm not convinced
yet, but heavily leaning toward that it is something governments should do.

Exposed servers are a national security risk. They are a risk to public
safety. Governments are there to protect their citizens.

~~~
aagd
Being from Germany I never heard about government based security checks. IT-
wise our government doesn't make a very competent impression. Do you have any
background info on this?

~~~
aurelian15
I remember receiving an email from the BSI ("Bundesamt für Sicherheit in der
Informationstechnik"; engl. "Federal Office for Security of Information
Technology") regarding a misconfigured NTP server that could be abused for NTP
reflection attacks.

The functions of the BSI are explained in English here [1] based on the
following law [2]. I guess initiatives such as informing about the NTP problem
fall into what is listed under §3.2.

[1]
[https://www.bsi.bund.de/EN/TheBSI/Functions/functions_node.h...](https://www.bsi.bund.de/EN/TheBSI/Functions/functions_node.html)

[2]
[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/BSI/bsig...](https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/BSI/bsiges2009_pdf.pdf?__blob=publicationFile&v=1)

------
bborud
I wonder if Adobe executives are aware of what kind of image their company
has.

How long before Adobe reaches the Oracle stage of dickhead'ness where phasing
out all their products can be found in large companies (non-public) strategy
plans.

~~~
madhadron
In favor of what, though? You can replace Premiere with Avid and InDesign with
Quark, but what replaces After Effects? PhotoShop? Illustrator? And for the
professionals that depend on these tools, retraining is a _major_ pain,
equivalent to saying to an experienced vim user that they have to switch to
BBEdit.

~~~
bborud
I was a bit surprised to find that quite a few of my friends who traditionally
used Photoshop and Illustrator in their work either have transitioned to
Affinity products, or are making a conscious effort to look for alternatives.
I would have thought it would take longer and/or that people would be
extremely tied to their tools.

But you do make a point. Often there is no obvious alternative. And changing
tools has a cost.

Mostly because they want to pay for software and then not have it stop working
on them for silly reasons, but also due to a general "bullshit fatigue" with
Adobe. It isn't a company that cares a great deal about its users.

I did something similar a few years ago. After Oracle ended up buying Sun, I
really wanted to stop using Java since I didn't feel Oracle was a company that
I would want to do business with.

However, it took me several years to transition away from Java. I really liked
Java. Finding a new programming language that is suitable for the kind of work
you do, has enough of a community etc. isn't just a matter of deciding to
move. You need somewhere to move to. Eventually Go evolved to where it fit my
needs really well, so I managed to make the transition. 2-3 years later and I
haven't touched Java since. (Which was somewhat unexpected. I didn't expect
changing languages would be that fast, but it coincided well with new projects
etc).

As for switching editors, VSCode managed to attract 2.6M monthly users in
roughly 2 years. If you believe estimates of how many developers that are in
the world, and you squint a bit when comparing numbers, that's roughly in the
neighborhood of 10% of the global developer population.

My intuition says you are right. The data seems seems to suggest it wants to
disagree with both of us :-)

------
jacquesm
Another really good reason to hate these grafted on service models. After all,
if you just bought a license and installed the software on your own machine at
least you wouldn't have to worry about this kind of stuff. It's clear beyond a
shade of doubt that even the largest companies can't be trusted to be good
stewards of your data.

~~~
tyingq
Hard to argue with what it did for their company. Look at a 5 year chart for
Adobe's stock price.

~~~
jacquesm
Yes, stock price is everything /s.

1) check back on Monday morning

2) we don't know what their stock price would have been otherwise

3) even if it is good for their stock it might still kill the company, though
- regrettably - the public is way too accepting of these sort of things.

~~~
tyingq
~3x return over 3 years. Something's working unusually well.

~~~
jacquesm
Sure, but that's arguing from results and you can justify an awful lot of
terrible stuff like that.

Interactions between people can to a large extent be governed properly but
utilitarianism but as soon as you bring in stockprice as the arbiter then
you're very far from safe ground. After all; in times of war the stock price
of weapons manufacturers will go up but that does not mean that the net
utility gain is positive.

~~~
tyingq
I'm not justifying what they did here and I get your position. I'm thinking
about the motivation, progression, etc. The upside of ignoring proper security
seems to outweigh the downside. Target, for example, is doing just fine.
Despite their tepid response to an egregious mistake. The consequences seem
paltry.

~~~
jacquesm
Well, they _could_ have done that proper security and their stock price would
be just as good. I think long term the only thing that will take care of these
excesses will be an American version of the GDPR or something to that effect.

Microsoft and Apple are already calling for this, it's a matter of time.

------
nyuszika7h
Adobe hasn't learned... I still get spam to myusername+adobe@mydomain.net (or
occasionally, adobe@mydomain.net if the spammers' email parser is dumb) to
this day, to the point where I've had to blacklist that address.

------
downrightmike
"The exposed user data wasn’t particularly sensitive, but it could be used to
create phishing campaigns that target the Adobe users whose emails were
leaked. The following user data was included:

Email addresses Account creation date Which Adobe products they use
Subscription status Whether the user is an Adobe employee Member IDs Country
Time since last login Payment status The data did not include payment
information or passwords."

~~~
jefftk
Reformatted:

"

* Email addresses

* Account creation date

* Which Adobe products they use

* Subscription status

* Whether the user is an Adobe employee

* Member IDs

* Country

* Time since last login

* Payment status

The data did not include payment information or passwords"

------
Angostura
Jokes on them, they already released my account details once

------
rukuu001
Utter silence from Adobe on this (I'm a CC customer)

~~~
jacquesm
7M is way - really, way - above the disclosure floor so in the EU at least
they will have to do a proper disclosure to the various DPA's.

One document I read put the lower floor at _5_ records for a 'major breach' so
I would very much caution against trying to wipe this sort of thing under the
carpet. That's the best way to find out how serious the EU is about those
fines. That and repeats while ignoring previous DPA instructions.

------
kitotik
It feels like unsecured elasticsearch clusters are becoming the new
s3/mongodb.

I’ve been noticing increased scans for their default ports on servers I
maintain.

It’s not very surprising given how insecure the defaults are for the typical
ELK stack, and how tedious it is to actually setup sane authz.

~~~
kakwa_
Well, putting in place authentication can indeed be difficult, but making the
ELK nodes only accessible by a limited set of IPs (preferably private ones)
instead of being directly public facing should reasonably be expected.

------
plurple
And I just recently saw one of the top people on Creative Cloud mocking
someone on Twitter for their security. Oops.

~~~
philshem
Link?

------
pier25
Shouldn't companies be penalized for exposing its users' private data?

------
codyogden
Another day, another major company exposing a huge trove of user data. Will
GDPR be at play here since the data was exposed?

~~~
libertine
If it was in EU ground and/or involved EU citizens, for sure something will
happen.

------
cameronbrown
Second time's a charm!

