A massive data breach suffered by the Nitro PDF service impacts many well-known organizations, including Google, Apple, Microsoft, Chase, and Citibank.
Claimed to be used by over 10 thousand business customers and 1.8 million licensed users, Nitro is an application used to create, edit, and sign PDFs and digital documents.
As part of their service offering, Nitro offers a cloud service used by customers to share documents with coworkers or other organizations involved in the document creation process.
Nitro software suffers a data breach
On October 21st, Nitro Software issued an advisory to the Australia Stock Exchange, stating that they were affected by a "low impact security incident" but that no customer data was impacted.
"NITRO ADVISES OF LOW IMPACT SECURITY INCIDENT
* AN ISOLATED SECURITY INCIDENT INVOLVING LIMITED ACCESS TO NITRO DATABASE BY AN UNAUTHORISED THIRD PARTY
* DATABASE DOES NOT CONTAIN USER OR CUSTOMER DOCUMENTS.
* INCIDENT HAS HAD NO MATERIAL IMPACT ON NITRO'S ONGOING OPERATIONS.
* INVESTIGATION INTO INCIDENT REMAINS ONGOING
* NO EVIDENCE CURRENTLY THAT ANY SENSITIVE OR FINANCIAL DATA RELATING TO CUSTOMERS IMPACTED OR IF INFO MISUSED
* DOES NOT ANTICIPATE A MATERIAL FINANCIAL IMPACT TO ARISE FROM INCIDENT
* INCIDENT IS NOT EXPECTED TO IMPACT CO'S PROSPECTUS FORECAST FOR FY2020"
It turns out that there may be more to the story than initially stated.
Cybersecurity intelligence firm Cyble has told BleepingComputer that a threat actor is selling the user and document databases, as well as 1TB of documents, that they claim to have stolen from Nitro Software's cloud service.
This data is now being sold in a private auction with the starting price set at $80,000.
Cyble states that the 'user_credential' database table contains 70 million user records containing email addresses, full names, bcrypt hashed passwords, titles, company names, IP addresses, and other system-related data.
BleepingComputer was able to determine the stolen user database's authenticity by confirming known email addresses of Nitro accounts that were present in the database.
The document database contains a file's title, whether it was created, signed, what account owns the document, and whether it's public.
According to Cyble, these databases contains a considerable amount of records related to well-known companies, as illustrated in the table below:
| Company | # of accounts | # of documents |
| Amazon | 5,442 | 17,137 |
| Apple | 584 | 6,405 |
| Citi | 653 | 137,285 |
| Chase | 85 | 177 |
| 3,678 | 32,153 | |
| Microsoft | 3,330 | 2,390 |
From the samples of the database shared with BleepingComputer, the document titles alone disclose a great deal of information about financial reports, M&A activities, NDAs, or product releases.
If the threat actors stole the documents as they claim, this could be one of the worst corporate data breaches we have seen in a while.
As Nitro is commonly used by businesses to sign sensitive financial, legal, and marketing documents digitally, it could allow for the leaking of information that would significantly impact a company's business.
BleepingComputer has not been able to confirm if documents were stolen in this attack.
For those who are concerned that their Nitro account is part of this breach, Cyble has added the data to their AmIBreached.com service. Users can submit their email address and check if it was disclosed in the stolen database using this service.
Update 10/27/20: Nitro has sent BleepingComputer an updated statement that "the email domains in these logs do not constitute Nitro 'customers' or 'accounts.' Unfortunately, this does not appear accurate as the user database seen by BleepingComputer does contained a bcrypt hashed password column.
Nitro continues to investigate an isolated security incident involving limited access to a Nitro database by an unauthorised third party. The incident database does not contain any user or customer documents, which are hosted in a separate database in a different location.
The incident database is primarily used for service logging purposes related to Nitro’s popular free online document conversion services.
Usage of Nitro’s free document conversion services does not require users to create an account or become a Nitro customer. Users are required to provide an email address – converted files are delivered to the email address provided – and common email domains are frequently entered and will show up in these logs.
For clarity, the email domains in these logs do not constitute Nitro ‘customers’ or ‘accounts’, and the logs do not contain any documents.
There is currently no established evidence that any sensitive or financial data relating to customers has been compromised. There is no impact to Nitro Pro or Nitro Analytics.
Nitro’s environment was fully secured immediately after the incident was identified. While the incident database does not contain sensitive or financial information, and passwords are highly encrypted, we are communicating with customers and have implemented a password reset as a precautionary measure.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now