Adobe, a provider of multimedia and creativity software products, recently disclosed a security breach that impacted users of its Magento Marketplace.
Magento Marketplace is an online portal for buying, selling, and downloading themes and plugins for Magento-based online stores.
In a notification sent to its customers, the company stated that a security vulnerability in Magento’s website allowed unknown intruders to access registered users’ account information. It’s unclear when the attackers exploited the vulnerability, but the company’s security team said they discovered the intrusion on November 21, 2019.
The exposed information included usernames, email addresses, store usernames (MageID), billing and shopping addresses, phone number, and limited commercial information. However, the company clarified that account passwords and financial data were not exposed in the incident.
“On November 21, we became aware of a vulnerability related to Magento Marketplace. We temporarily took down the Magento Marketplace in order to address the issue. The Marketplace is back online. This issue did not affect the operation of any Magento core products or services,” the company said in a statement.
“We have notified impacted Magento Marketplace account holders directly. We take these issues seriously and are committed to helping ensure our platforms are secure. We are reviewing our processes to help prevent these types of events from occurring in the future,” the statement added.
In a recent security incident, Adobe mistakenly exposed around 7.5 million user account details. This vulnerability was brought to light by Security Researcher and Consultant Bob Diachenko and reported in the press by Paul Bischoff Tech Journalist, Privacy Advocate and VPN Expert from Comparitech.
As per Adobe’s whitepaper, most components of Creative Cloud are hosted on Amazon Web Services (AWS) which include Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Simple Storage Service (Amazon S3). The Elasticsearch database is used to store, search, and analyze large volumes of data in near real-time. Diachenko’s analysis spotted that this Elasticsearch database was left exposed as there was no password protection provided for it.