Darknet auction spawns fears that attack might expose sensitive data from business customers

UPDATED A data breach at PDF services firm Nitro Software may have affected millions of users including workers at Microsoft, Google, and Chase Bank.

Nitro's software is used to create, edit, or sign PDFs or other digital documents.

Last week Nitro issued a statement admitting it had suffered a data breach while playing down its significance. The statement referred to an unauthorized third party gaining “limited access to a Nitro database”.

The database was said to relate primarily to Nitro’s free online products and not to contain either user or customer documents.

Catch up on the latest data breach news

The incident, however, may be more significant that Nitro’s initial statement implies.

According to threat intelligence firm Cyble, a threat actor is reportedly selling user and document databases, as well as 1TB of documents, stolen from Niro’s cloud service.

There are said to be 70 million user records containing email addresses, full names, company names, password hashes, IP addresses, and other system-related data up for auction.

Business customers heavily affected

Cyble has added data pertaining to the breach to its AMIBreached.com service. Many of the records on the compromised database relate to Fortune 500 companies, including tech giants Google and Apple.

Nitro has more than 10.500 business customers and 1.8m licensed users worldwide, though how many of them use Nitro Cloud rather than its Nitro Productivity Suite or other offerings remains unclear.

“From the samples of the database shared with BleepingComputer, the document titles alone disclose a great deal of information about financial reports, M&A activities, NDAs, or product releases,” Bleeping Computer reports.

Cyble told The Daily Swig: “Considering the scale and extent of the breach, this is one of the worst breaches Cyble has seen in the last few years. The cybercriminals were not only able to access sensitive account details on millions of users, but also the information related to shared documents as well. Almost all Fortune 500 organizations are affected by this breach.”

The Daily Swig asked Nitro to comment on reports that the scope of its recent breach might be greater than initially seemed the case.

Nitro initially responded with a statement reiterating what it said last week before offering an updated and expanded comment (extract below) on the incident on Wednesday:

Nitro continues to investigate an isolated security incident involving limited access to a Nitro database by an unauthorised third party.

The incident database does not contain any user or customer documents, which are hosted in a separate database in a different location.

The incident database is primarily used for service logging purposes related to Nitro’s popular free online document conversion services.

There is currently no established evidence that any sensitive or financial data relating to customers has been compromised. There is no impact to Nitro Pro or Nitro Analytics.

Nitro’s environment was fully secured immediately after the incident was identified. While the incident database does not contain sensitive or financial information, and passwords are highly encrypted, we are communicating with customers and have implemented a password reset as a precautionary measure.

Further information and updates are available through its website, the software developer added.

In an accompanying statement, Sam Chandler, Nitro Founder and CEO, criticised media reports that suggesting the compromised database housed copies of customer documents.

"Several media articles published in the past 24 hours contain a number of factual inaccuracies regarding this incident," Chandler said. "The relevant database does not contain copies of user or customer documents. Documents are stored in a separate database in a different location. There is currently no established evidence that this separate database has been compromised. We are providing updates on the incident on our security page.”

The Daily Swig relayed Nitro's updated statement to Cyble, which told us it was sticking to its warning that documents may have been exposed.

"We have credible intelligence that the documents may have been dumped as part of the cyberattack," Cyble's Beenu Arora told The Daily Swig. "While the perpetrators have claimed to gain significant access to the victim’s cloud Infrastructure, the validity of the claims, and the extent of it needs to be investigated."

"The metadata in the document database (i.e. name field) could give cybercriminals insights on 'who' might have access to sensitive documents in an organization (through the ID field in the databases) such as M&A related," he added.

This story has been updated to add Nitro's updated statement on the incident and Cyble's reaction

RELATED Finnish mental health patients blackmailed after suspected data breach