Nitro Pdf Data Breach -

Nitro’s response received mixed reviews:

| What They Did Right | What They Did Wrong | |-------------------------|-------------------------| | Secured database within 24 hours of disclosure | Did not immediately notify users upon discovery | | Used bcrypt hashing for passwords | Legacy database was exposed for an unknown period (possibly weeks) | | Forced password resets for all users | Initial disclosure was via third-party researchers, not proactive | | Published a security advisory | No public breach portal for users to check individual status |

Overall, Nitro avoided the worst outcomes (plaintext passwords, full payment data) but failed on transparency and proactive communication.

Nitro officially confirmed the breach, stating that an “unauthorized third party” gained access to a legacy user database. They reset passwords for all affected accounts and forced a logout across all Nitro Cloud and Nitro Sign sessions. The company also began notifying users via email.

Even though full credit card numbers weren’t taken, partial billing addresses combined with your name and email can be used for fraudulent account creation. Consider a credit freeze or identity monitoring service (e.g., Aura, LifeLock, or free options like Credit Karma). nitro pdf data breach

Nitro offers 2FA via authenticator apps (Google Authenticator, Authy, etc.). Enable it immediately. This blocks 99% of credential-stuffing attacks.

The Nitro PDF data breach stands as a pivotal case study in third-party supply chain risk, originating in September 2020 but remaining a major concern for corporate security teams due to the sensitivity of the leaked documents.

Initially dismissed by Nitro Software as a "low impact security incident," the breach actually exposed over 77 million user records and potentially compromised document metadata for some of the world's largest companies, including Google, Apple, Microsoft, Chase, and Citibank. Breach Overview & Impact

The attack was attributed to the notorious cybergang ShinyHunters, known for selling high-value breached data on hacker forums. Nitro’s response received mixed reviews: | What They

Scale of Leak: Approximately 77,159,696 user records were stolen, totaling 14 GB of data.

Data Types Exposed: Sensitive information included full names, email addresses, bcrypt hashed passwords, company names, IP addresses, and document titles.

The "Document Database" Concern: Beyond user credentials, hackers reportedly accessed a database containing document titles that disclosed confidential activities such as M&A (Mergers and Acquisitions), NDAs, financial reports, and product releases.

Price of Privacy: The stolen database was initially auctioned on the dark web for a starting price of $80,000 before being leaked for free by actors claiming affiliation with ShinyHunters. Timeline of the Incident Sept 28, 2020 The actual date of the breach occurrence. Oct 21, 2020 Visit haveibeenpwned

Nitro issues a security advisory describing an "isolated security incident" with "low impact". Jan 21, 2021

A massive 14 GB dump of Nitro user data is published online for free, revealing the true scale. Current (2026)

Nitro continues to release security patches to address secondary vulnerabilities like certificate validation bypasses (CVE-2025-67825). Lessons and Remediation

The Nitro breach highlighted the danger of "supply chain" vulnerabilities, where a breach at a specialized software vendor can expose data from multi-billion dollar enterprises. Nitro Data Breach - Have I Been Pwned

Visit haveibeenpwned.com and enter your email address. This independent breach notification service has indexed the Nitro breach. It will tell you definitively if your email was in the exposed dataset.

If you fall into any of the following categories, you are likely affected: