Cyber Incident Victim: Lumin PDF
Date:
Apr 2019
Location:
United States of America
Summary
A hacker leaked data of 24.3 million users of a cloud-based PDF service after its unprotected MongoDB database was exposed online for months, allegedly due to the company ignoring multiple contact attempts. The compromised records included full names, email addresses, gender, locale settings, and either hashed passwords or expired Google access tokens, with a small subset of passwords hashed via Bcrypt. The attacker later destroyed the database using ransomware and took the server offline. While the company acknowledged a portion of user data was exposed, it disputed claims about active access tokens, confirming all tokens were invalid at the time of the breach. Security vulnerabilities leading to the incident were subsequently resolved.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2019, an unprotected MongoDB database belonging to Lumin PDF was discovered exposed online without a password, containing user records for the cloud-based PDF service. The unidentified hacker who found the database claimed to have repeatedly attempted to notify Lumin PDF about the security lapse over several months but received no response from company administrators. After these unsuccessful contact attempts, the hacker reported that the exposed data was subsequently destroyed by ransomware, and the affected server was taken offline. Approximately five months after the initial discovery, on September 16, 2019, the same hacker published Lumin PDF's entire user database on a hacking forum. The leaked data consisted of a 2.25GB ZIP file containing a 4.06GB CSV file with records for 24,386,039 users. The compromised information included full names, email addresses, gender details, language locale settings, and either hashed passwords or Google access tokens for the majority of accounts. For 118,746 users who had registered directly with Lumin PDF, the passwords were hashed using the Bcrypt algorithm. The hacker's stated motivation for the leak appeared to stem from frustration over Lumin PDF's failure to respond to prior notifications about the exposed database.
Lumin PDF CEO Max Ferguson confirmed through an investigation that the leaked data contained a portion of user information but disputed the hacker's claim about active Google access tokens, asserting all tokens in the leak had already expired and couldn't be used to access Google Drive accounts. The company acknowledged the security vulnerabilities that enabled the breach had been resolved by September 2019. Lumin PDF planned to formally disclose the incident to users and publish a breach notification blog post on September 17. Google initiated an investigation upon being notified by ZDNet about the leaked tokens, while security guidance was provided to users about revoking app permissions through Google Drive's settings interface. The exposure duration from April to September 2019 created potential risks for credential reuse attacks due to the email and password data leakage, though the cryptographic hashing of direct-registration passwords reduced immediate credential compromise risks for those accounts. No evidence suggested unauthorized access to Google Drive content occurred through the expired tokens.