Many well-known organisations, including Google , Apple, Microsoft, Chase, and Citibank, have been affected by a major data breach experienced by the Nitro PDF service.
Nitro is an application used to build, edit, and sign PDFs and digital documents, estimated to be used by over 10 thousand business customers and 1.8 million licensed users.
Nitro provides a cloud service used by clients to exchange documents with colleagues or other entities participating in the document development process as part of their service offering.
Nitro software suffers a data breach
Nitro Software released an advisory to the Australia Stock Exchange on October 21st, reporting that they were affected by a “low impact security incident” but that no customer information was affected.
“NITRO ADVISES OF LOW IMPACT SECURITY INCIDENT
* AN ISOLATED SECURITY INCIDENT INVOLVING LIMITED ACCESS TO NITRO DATABASE BY AN UNAUTHORISED THIRD PARTY
* DATABASE DOES NOT CONTAIN USER OR CUSTOMER DOCUMENTS.
* INCIDENT HAS HAD NO MATERIAL IMPACT ON NITRO’S ONGOING OPERATIONS.
* INVESTIGATION INTO INCIDENT REMAINS ONGOING
* NO EVIDENCE CURRENTLY THAT ANY SENSITIVE OR FINANCIAL DATA RELATING TO CUSTOMERS IMPACTED OR IF INFO MISUSED
* DOES NOT ANTICIPATE A MATERIAL FINANCIAL IMPACT TO ARISE FROM INCIDENT
* INCIDENT IS NOT EXPECTED TO IMPACT CO’S PROSPECTUS FORECAST FOR FY2020″
It turns out that the story could have more than was initially mentioned.
Cyble, a cybersecurity intelligence company, said that the consumer and document databases are sold by a threat actor, as well as 1 TB of documents that they claim to have stolen from the cloud service of Nitro Apps.
This data is now being sold with the starting price set at $80,000 in a private auction.
Cyble notes that 70 million user records containing email addresses, full names, bcrypt hashed passwords, titles, business names, IP addresses, and other device related data are stored in the ‘user credential’ database table.
Nitro user database
By verifying established email addresses for Nitro accounts that were present in the database, was able to determine the validity of the stolen user database.
The database of the document contains the title of the file, whether it was made, signed, which account the document owns, and whether it is public.
These databases, according to Cyble, contain a large number of records relating to well-known businesses, as seen in the following table
Company# of accounts# of documentsAmazon5,44217,137Apple5846,405Citi653137,285Chase85177Google3,67832,153Microsoft3,3302,390
The document titles alone reveal a great deal of knowledge about financial reports, M&A operations, NDAs, or product updates from samples of the database was shared.
This may be one of the worst corporate data breaches we have seen in a while if the threat actors stole the documents as they say.
Since Nitro is widely used by companies to digitally sign confidential financial , legal, and marketing documents, it may allow information to be leaked that would have a major effect on the business of a company.
In this attack, we were not able to confirm whether documents were stolen.
Cyble has added the data to their AmIBreached.com service for those who are worried that their Nitro account is part of this leak. Users can apply their email address and verify, using this tool, if it was revealed in the stolen database.
Update 10/27/20: Nitro has sent a statement that they are investigating the attack, but there is no indication that “customer-related sensitive or financial data has been compromised.”
Nitro continues to investigate an isolated security incident involving limited access to a Nitro database by an unauthorised third party. The database does not contain user or customer documents, which are hosted in a separate database.
There is currently no established evidence that any sensitive or financial data relating to customers has been compromised. There is no impact to Nitro Pro or Nitro Analytics.
Usage of Nitro’s popular free document conversion services does not require users to create and account or become a Nitro customer. Users are required to provide an email address and common email domains are frequently entered.