Nitro PDF users’ email addresses and hashed passwords leaked
Updated at 6.30pm on 10 December 2020
Nitro PDF, a PDF enterprise document creation and sharing web application, has experienced a significant data breach. A person claiming to be in possession of this data has published 2.6 million email addresses and hashed passwords, including over 4,000 .nz email addresses. As of late October, the attackers were claiming to have also stolen documents available for sale. CERT NZ cannot verify the authenticity of this data.
Nitro PDF, a PDF enterprise software program.
What this means
Update: From initial reporting in late October, the attackers claimed to have PDF documents from Nitro PDF for sale. In late November, CERT NZ became aware the attackers had publicly shared the metadata of the documents, indicating that they had the PDF documents in their possession.
At this point CERT NZ has no reason to believe that the attackers intend to release these publicly. However CERT NZ is encouraging organisations to consider what the implications would be if the documents were released.
Inital information: A data breach is when private and confidential information is released into an unsecured environment. This usually means that the information becomes publicly available. It also means that others can use it for personal gain, or to cause harm to a business or individual.
The breach has made over 2.6 million email addresses and hashed passwords publicly available. This includes over 4,000 .nz email addresses.
Password hashes are a way of storing information about a person's password that allows verification of correctly entered passwords without storing the password itself. Password hashes cannot be reversed to the original password, but an attacker can guess passwords and apply the same hashing method to confirm if the guess matches the original password. This means that the longer and stronger a password is, the more difficult it is to crack if someone obtains your password hash. Shorter and commonly occurring passwords are easier for attackers to crack.
CERT NZ understands that alongside the breached email addresses and password details, there has also been a data release. The details of this data is not yet confirmed.
What to look for
How to tell if you're at risk
You have an account with Nitro PDF.
What to do
CERT NZ highly recommends:
- if you use the Nitro PDF service, change your account password immediately to something long, strong and unique
- if you’ve used that same password on any other online accounts, make sure you also change those passwords immediately.
CERT NZ also recommends that you:
- Understand what documents have been uploaded to the service and how sensitive the information in them is.
- Be prepared and have an incident response plan ready in the instance the documents are made public, which includes notifying the Office of the Privacy Commissioner and any affected customers in line with the requirements of the Privacy Act 2020.
To help businesses and organisations, the OPC has an online privacy breach notification tool on its website called NotifyUs. This and other Privacy Act 2020 resources can be found on the OPC website.
Use a password manager to securely store your long, strong and unique passwords.
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.