Cyber Incident Victim: Nitro Software
Date:
Oct 2020
Location:
Australia
Summary
A significant security breach impacted a widely-used PDF service, compromising sensitive data from major corporations including Microsoft, Google, Apple, Chase, and Citibank. Threat actors stole databases containing approximately 70 million user records with email addresses, hashed passwords, company details, and IP addresses, alongside claims of exfiltrating 1TB of documents including financial reports and legal agreements. While the service provider initially asserted no customer data was affected, external analysis confirmed the legitimacy of exposed credentials and revealed discrepancies in the company's statements regarding the breach's scope. The stolen data was offered for private auction, raising concerns about potential misuse of sensitive corporate information. The incident prompted forced password resets as a precaution despite assertions that documents were stored separately and not accessed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 21, 2020, Nitro Software disclosed a security incident to the Australia Stock Exchange, characterizing it as "low impact" with no compromise of customer data. Cybersecurity firm Cyble subsequently reported that a threat actor was auctioning databases and documents allegedly stolen from Nitro’s cloud service, with a starting bid of $80,000. The stolen data included a ‘user_credential’ table containing 70 million records with email addresses, full names, bcrypt hashed passwords, company names, IP addresses, titles, and system-related information. A separate document database listed file titles, ownership details, creation/signing status, and public accessibility flags. BleepingComputer verified the authenticity of the user database by cross-referencing known Nitro account email addresses. Samples revealed document titles indicating sensitive financial reports, mergers and acquisitions (M&A) activities, non-disclosure agreements (NDAs), and product releases. The actor claimed possession of 1TB of documents, though document theft remained unconfirmed. Impacted organizations included major corporations such as Apple (584 accounts, 6,405 documents), Microsoft (3,330 accounts, 2,390 documents), Google (3,678 accounts, 32,153 documents), Citibank (653 accounts, 137,285 documents), Chase (85 accounts, 177 documents), and Amazon (5,442 accounts, 17,137 documents).
Nitro initially asserted that the exposed email domains did not represent customers or accounts and that no documents were compromised, as documents were stored in a separate database. The company clarified that the breached database primarily contained logs from its free document conversion service, which requires only an email address for file delivery and does not create formal accounts. However, BleepingComputer noted the presence of bcrypt hashed passwords in the user database, contradicting Nitro’s characterization of the data as non-account-related. Nitro secured its environment immediately after detecting the incident and enforced a precautionary password reset despite stating passwords were "highly encrypted." The firm maintained there was no evidence of compromised sensitive or financial customer data and confirmed no impact to its Nitro Pro or Nitro Analytics products. The incident’s potential severity stemmed from Nitro’s widespread use for signing sensitive financial, legal, and marketing documents, raising concerns about corporate espionage or operational disruption if document theft was substantiated.