Expert Commentary: Massive Nitro Data Breach Impacts Microsoft, Google, Apple, More

A massive data breach suffered by the Nitro PDF service has impacted many well-known organizations, including Google, Apple, Microsoft, Chase, and Citibank. Claimed to be used by over 10 thousand business customers and 1.8 million licensed users, Nitro is an application used to create, edit, and sign PDFs and digital documents. On October 21, Nitro Software issued an advisory to the Australia Stock Exchange, stating that they were affected by a “low impact security incident” but that no customer data was impacted.

Cybersecurity intelligence firm Cyble has revealed that a threat actor is selling the user and document databases, as well as 1TB of documents, that they claim to have stolen from Nitro Software’s cloud service. Cyble states that the ‘user_credential’ database table contains 70 million user records containing email addresses, full names, bcrypt hashed passwords, titles, company names, IP addresses, and other system-related data.

Subscribe
Notify of
guest

3 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Jayant Shukla
Jayant Shukla , CTO and Co-Founder
InfoSec Expert
October 27, 2020 3:07 pm

While we don’t know how the data breach involving the Nitro PDF service may have come about, it’s likely from phishing campaigns and stolen credentials, or from exploiting vulnerabilities in applications, as these are the two most common sources of breaches.

To protect themselves, organizations need to make sure that not only are they using phishing detection and training employees to recognize phishing, they also need to make sure they have defense-in-depth for all of their applications, data, and assets that are internet- facing. This includes making sure their devices and software are up to date and patched, and they have runtime application security in place for their applications.

Equally important, organizations need to make sure they vet the security of the many partners and third-party organizations that they depend on as thoroughly as they vet their own security infrastructure.

Last edited 2 years ago by Jayant Shukla
Josh Bohls
Josh Bohls , Founder
InfoSec Expert
October 27, 2020 3:03 pm

The Nitro PDF data breach could be one of the biggest corporate disclosures since the so-called \”Panama Papers\” breach in 2016 (https://www.theguardian.com/news/2016/apr/03/what-you-need-to-know-about-the-panama-papers). If the reports are true, this is the kind of data leak that could be dripping for many months, and cause extreme embarrassment, legal action, and major ripples across the global economy. The big warning that should not be overlooked is that Nitro is a publicly-traded company with a highly reputable service.

There are many other PDF editors and electronic signature platforms with fewer resources to secure customer data, many of which rely on advertising revenue or a very low entry point cost. I would expect many of these companies to be even more susceptible to a data breach as Nitro.

I hope that this serves as a wake-up call to IT executives to evaluate how employees are creating, scanning, viewing, editing, and signing PDF documents on desktop and mobile and look for solution providers who prioritize data security and corporate controls.

Last edited 2 years ago by Josh Bohls
Pravin Rasiah
Pravin Rasiah , VP of Product
InfoSec Expert
October 27, 2020 2:45 pm

Companies entrusted with customer information have a responsibility to ensure their data stays secure and out of the hands of cybercriminals, who can use this exposed information to launch targeted attacks and gain access to other user accounts and resources. Without awareness or proactive action to maintain cloud security policies, it\’s more likely that malicious actors will target and exploit the system to compromise sensitive information. Complete visibility into the cloud environment combined with proper cloud governance is critical to preventing data breaches and protecting customer data. Businesses should invest in a comprehensive set of security tools that monitor and control security status in real-time, minimizing the potential attack surface and providing holistic observability into the cloud environment.

Last edited 2 years ago by Pravin Rasiah
Information Security Buzz
3
0
Would love your thoughts, please comment.x
()
x