The details of over 24.3 million Lumin PDF users have been shared today on a hacking forum, ZDNet has learned from a source.
The hacker said they leaked the company's data after Lumin PDF administrators failed to answer his queries multiple times over the past few months.
Lumin PDF is a little-known cloud-based service that lets users view, edit, and share PDF files using a web-based dashboard, inside a browser extension, or via the company's mobile apps.
The service was founded in 2014, but most users are familiar with the company's name, being one of the third-party PDF apps that Google Drive users can install on their accounts and open problematic PDF documents.
However, today, a hacker published a download link to the company's entire user database. The hacker's download link is for a 2.25GB ZIP file that holds a 4.06GB CSV file containing the user records of 24,386,039 LuminPDF users.
With the help of a source, ZDNet has obtained a copy of this archive and verified its authenticity with several Lumin PDF users.
For the vast majority of user records, the CSV file contains users' full names, email addresses, gender, (language) locale settings, and a hashed password string or Google access token.
For most user entries, there's a Google access token included in the leaked data, confirming that most Lumin PDF are using the service as an add-in Google Drive app.
However, for 118,746 users, the leaked Lumin PDF data contained password strings that appear to have been hashed using the Bcrypt algorithm, suggesting these are users who registered an account on the Lumin PDF website.
Hacker claims Lumin PDF ignored contact attempts
Writing on the forum, the hacker claimed to have obtained the data from a MongoDB database belonging to Lumin PDF that was left exposed online without a password back in April 2019.
"The unprotected database was found about 5 months ago," the hacker wrote. "Vendor was contacted multiple times, but ignored all the queries.
"The data was later destroyed by ransomware, and server taken down soon after," the hacker added.
Such destructive attacks on MongoDB servers aren't new and have been happening since late 2016. Cybercriminals have made a habit out of accessing unprotected MongoDB databases, deleting their content, and leaving a ransom note behind hoping that a clueless victim would pay a ransom demand for data that doesn't exist anymore.
The hacker, whose name we won't be sharing in this article, did not make it particularly clear why they were sharing Lumin PDF's user records, despite the Lumin PDF server and the data not being available anymore. At a first glance, this looks like petty revenge.
Lumin PDF acknowledges the breach
ZDNet notified Lumin PDF that the company's data had been shared on a hacking forum. After this article's publication, Max Ferguson, Lumin PDF CEO and founder, replied to our request for comment with the results of their own investigation.
Ferguson confirmed that the leaked data contained a portion of Lumin PDF user data. However, the Lumin PDF CEO denied the hacker's claims that the leaked data contained valid Google access tokens.
If abused, these access tokens can allow malicious threat actors to pose as legitimate users and access Google Drive accounts.
"The leaked Google access tokens were all expired at the time of the breach, meaning that the attackers could not gain access to any user documents or signatures," the Lumin PDF exec told ZDNet in an email.
However, ZDNet must note that we are not in a position to verify the Lumin PDF's claims. At this point, it's the hacker's word against Lumin PDF's.
The company said it plans to publish a blog post on September 17, and disclose the security breach to its users.
"The security vulnerabilities that led to this breach have since been resolved," the exec also added.
Google is investigating
But in addition to reaching out to Lumin PDF, ZDNet also notified Google of the leaked data and the presence of the leaked access tokens. A Google spokesperson said the company is investigating the incident.
While Lumin PDF said that the leaked tokens had expired, users can make sure the tokens are useless by revoking the Lumin PDF app's permissions, and then reconnecting the app to their Google account again.
Instructions on how to disconnect the app and revoke its token are available in this Google Drive support page, and also below:
- On your computer, go to drive.google.com.
- Click the cog (settings) icon in the top-right menu bar.
- Click the Settings option in the drop-down menu.
- Click Manage apps in the side-menu
- Next to the app, click Options.
- Click Disconnect from Drive.
Updated at 6:10am, September 17, with statements from Lumin PDF.