Over 77 Million Nitro PDF User Records Shared Online for Free

  • The products of last year’s Nitro PDF massive breach are now being shared online for free.
  • The 14GB database includes over 77 million unique email addresses, along with IPs, names, and bcrypted passwords.
  • The widespread exposure will now bring a spike in phishing and scamming attempts against millions of people.

Former and current users of the ‘Nitro PDF’ software are getting notices of a data leak affecting them from ‘have I been pwned?’. Apparently, someone claiming to be part of the “Shiny Hunters” data broker ring has decided to leak a 14GB database containing 77,159,696 records.

They shared it for free on hacking forums, potentially introducing security risks for a large number of people. Reportedly, Nitro PDR was breached back in September 2020, so a limited team of hackers has been exploiting the data set privately for about five months already.

The widespread leak now adds more problems to the compromised individuals, as many more actors will now scrutinize the large volume of the data, and the targeting spectrum will open up to cover everyone. The records in the database include the following details:

  • Full names
  • Email addresses
  • Passwords (bcrypted)
  • Company and title
  • IP addresses
  • System information

Judging from the amount of the records, the database must concern the entire userbase of Nitro PDF. People are using the software to create, edit, sign, and secure PDF files, so several corporate clients are included in the database, like Apple, Citi, Google, Microsoft, Amazon, and more.

Possibly, these have been already targeted by the original actors, who were most likely cherry-picking their targets among the massive dataset. Also, Cyble had discovered that the database was being sold to anyone interested for $80,000 when the breach happened.

Nitro PDF had disclosed the security incident back in October, about a month after it happened. As they stated back then, the incident didn’t expose sensitive financial data nor actual documents. From what appears to be the case now, this was an accurate statement, although the incident was still wrongfully categorized as “low impact.”

Having full names, email addresses, IP addresses, and job details exposed creates a high-quality basis for phishing actors and scammers to act. Also, credential stuffing is always a possibility, even if the passwords were bcrypted, as this wouldn’t help much in cases of small and weak selections.

If you have received a notification from ‘have I been pwned?’, go ahead and reset your passwords and use something strong and unique this time. Ideally, just pick a password manager and generate “ridiculously” secure passwords everywhere.

Latest
How to Watch World Cup 2022 Online: Live Stream Soccer Matches for Free from Anywhere
Switzerland and South Korea secured their places in the round of 16 of the 2022 FIFA World Cup on Friday, the final...
Tyson Fury vs. Derek Chisora III Live Stream: How to Watch Boxing Online from Anywhere
As The Gypsy King Fury prepares to face War Chisora in a match that promises a potential once-in-a-lifetime spectacle, the entire boxing...
Netherlands vs. USA Live Stream: How to Watch World Cup 2022 Round of 16 Match Online
The group stage is done and dusted, and we are ready for things to start heating up at the 2022 FIFA World...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari