[German]The provider Nitro PDF has experienced a massive data breach where cyber criminals have been able to stole data from customers. They are now selling the captured data in underground forums. This has implications for many high-profile organizations, including Apple, Google, Microsoft, Chase and Citibank, whose documents appear in the records.
Advertising
I have already been informed about this issue by the security company Cyble, who shared the information with Bleeping Computer. The colleagues from Bleeping Computer have published details with this this article.
Background information Nitro (PDF)
Nitro Software (Nitro PDF) is a vendor, that offers a number of products as a PDF Productivity Suite in the PDF document space. Nitro applications allow users to create, edit and sign PDFs and digital documents. Founded in Australia in 2004, the company's goal is to have 1.8 million licensed users in over 10,000 businesses and homes.
As part of its service offering, Nitro offers a cloud service. This is used by customers to share documents with colleagues or other organizations involved in the workflow.
Security incident at Nitro Software
On October 21, 2020, Nitro Software issued an ad hoc announcement to the Australian Stock Exchange stating that there had been a "low impact security incident" at the company, but that no customer data was affected.
"NITRO ADVISES OF LOW IMPACT SECURITY INCIDENT
* AN ISOLATED SECURITY INCIDENT INVOLVING LIMITED ACCESS TO NITRO DATABASE BY AN UNAUTHORISED THIRD PARTY
* DATABASE DOES NOT CONTAIN USER OR CUSTOMER DOCUMENTS.
* INCIDENT HAS HAD NO MATERIAL IMPACT ON NITRO'S ONGOING OPERATIONS.
* INVESTIGATION INTO INCIDENT REMAINS ONGOING
* NO EVIDENCE CURRENTLY THAT ANY SENSITIVE OR FINANCIAL DATA RELATING TO CUSTOMERS IMPACTED OR IF INFO MISUSED
* DOES NOT ANTICIPATE A MATERIAL FINANCIAL IMPACT TO ARISE FROM INCIDENT
* INCIDENT IS NOT EXPECTED TO IMPACT CO'S PROSPECTUS FORECAST FOR FY2020"
It reads harmlessly that limited access to a part of the Nitro database has happened by unauthorized third parties. They says: The database does not contain any user or customer documents, and no financial data has been leaked.
Advertising
Hacked data are offered in a underground auction
Such a statement as published above should actually make all alarm bells ring. In the meantime the situation looks clearly different. Security vendor Cyble hass told me by mail:
Considering the scale and scope of the privacy incident, this is one of the worst data hacks Cyble has seen in recent years. Not only have cybercriminals been able to access sensitive account information of millions of users, but also information related to shared documents. Almost all Fortune 500 organizations are affected by this privacy violation.
Cyble told BleepingComputer that an attacker was suspected of being able to pull data from the Nitro system. The attacker is now trying to sell the user and document databases and 1TB of documents that he allegedly stole from Nitro Software's cloud service in in a private auction, with a starting price set at $80,000.
Cyble states that the database table "user_credential" contains 70 million user records that include email addresses, full names, hashed bcrypt passwords, titles, company names, IP addresses and other system-related data.
Bleeping Computer was able to verify data from the stolen user database by checking known email addresses of nitro accounts that were present in the database. The document database contains the title of the files, whether they were created and signed, which account each document belongs to, and whether it is public. The following table, compiled by Cyble, contains an overview of affected companies:
| Company | # of accounts | # of documents |
| Amazon | 5 442 | 17 137 |
| Apple | 584 | 6 405 |
| Citiy Bank | 653 | 137 285 |
| Chase | 85 | 177 |
| 3 678 | 32 153 | |
| Microsoft | 3 330 | 2 390 |
Samples from the data base, BleepingComputer has obtained, indicates, that their document titles alone reveal a wealth of information about financial reports, M&A activities, NDAs or product releases. Nitro has remained silent on the incident and has not responded to inquiries. How the hackers got their hands on the data is currently unknown. Bleeping Computer has published details here and in some tweets. unbekannt.
