A stolen database which includes the email addresses, names, and passwords of over 77 million records of Nitro PDF service users was leaked online.
The 14GB leaked database contains 77,159,696 records containing users’ email addresses, full names, bcrypt hashed passwords, titles, company names, IP addresses, and other system-related information.
The database has been added to the Have I Been Pwned service that lets users to check whether their info has been compromised in this data breach and leaked on the Internet.
Nitro is an application that allows you to create, edit, and sign PDFs and digital documents. The company Nitro Software claims to have more than 10,000 business customers and around 1.8 million licensed users.
Nitro also provides a cloud service by which the customers can use to share documents with coworkers or any other organizations involved in the document creation process.
The huge Nitro PDF data breach was reported last year and it affects many well-known companies, including Google, Apple, Microsoft, Chase, and Citibank.
Nitro Software disclosed the breach on October 21, 2020, in an advisory stating it as a “low impact security incident.”, They also said that customer data was not impacted in the breach.
However, it was later found that a database containing alleged info on 70 million Nitro PDF user records got auctioned together with 1TB of documents for a starting price set at $80,000.
Now, a hacker claiming to be a part of ShinyHunters has leaked the full database on a hacker forum for free. He has also set a price of $3 for accessing the download link.
ShinyHunters is a notorious hacker group famous for hacking online services and selling stolen information via data breach brokers or in private sales.
Earlier ShinyHunters claimed to be behind the breaches at Homechef, Wattpad, Minted, Tokopedia, Dave, Promo, Chatbooks, Mathway, etc, but it was proved wrong.
Nitro PDF users are highly recommended to change their passwords to a strong, unique password as the leaked credentials cans be used to conduct phishing attacks or credential stuffing.
Make sure to use a unique password that is not used for any other accounts and also make it a practice to use a password manager to help manage and generate unique passwords for different sites.