Australian document productivity company Nitro Software Inc has revealed it suffered a security incident, in which a third party gained a limited access to a Nitro database. The affected database, which supports certain Nitro online services and is used for the storage of information related to Nitro’s free online products, does not contain user or customer documents, the company said.
The company described the data breach as “a low impact security incident”, however, according to Bleeping Computer, the data stolen included the company’s user and document databases along with 1 TB in documents created by Nitro’s customers. The stolen information is now being sold in a private auction with the starting price set at $80,000, according to the cybersecurity firm Cyble.
The researchers said the user_credential' database table includes 70 million user records containing email addresses, full names, bcrypt hashed passwords, titles, company names, IP addresses, and other system-related data. The document database contains a file's title, whether it was created, signed, what account owns the document, and whether it's public.
According to Cyble, the databases include records related to major companies, such as Amazon, Apple, Citibank, Chase, Google, and Microsoft. Among the stolen data is hundreds of accounts and documents linked to those companies, including financial reports, merger and acquisition activities, nondisclosure agreements and product release details.
Given the scale and extent of the breach, this incident could be one of the worst corporate data breaches seen in the last few years, the researchers said.