For organizations using Nitro's cloud services (Nitro Cloud) prior to 2021:
Following the breach, Nitro announced:
What they didn’t do:
The leaked data, analyzed by multiple independent security firms, contained two primary database tables: nitro pdf data breach
| Right | Wrong | |-----------|-----------| | Used bcrypt hashing (slow, salted hashes) | Misconfigured cloud database access | | Notified affected users within 7 days | Did not enforce 2FA earlier | | Hired external forensics firm | Initial disclosure lacked technical details | For organizations using Nitro's cloud services (Nitro Cloud)
Nitro offers 2FA via authenticator apps (Google Authenticator, Authy, etc.). Enable it immediately. This blocks 99% of credential-stuffing attacks. What they didn’t do:
Cybersecurity researchers at Comparitech, working with expert Bob Diachenko, discovered an unsecured MongoDB database containing 70 million user records. The database was publicly accessible without any authentication. The host of the database was confirmed to belong to Nitro Software.