News

Hacker Exposes Data of 24 Million Lumin PDF Users

Giulio Saggin
Giulio Saggin
Tuesday 28 November 2023

A hacker has published a download link to the entire user database of Lumin PDF, totalling more than 24 million users, on a hacking forum. ZDNet reports that the hacker resorted to this tactic after Lumin PDF administrators didn't respond to numerous queries he'd made over the past few months. The hacker claimed the data was obtained from a MongoDB database belonging to Lumin PDF, which was left exposed without a password in April this year. "Vendor was contacted multiple times, but ignored all the queries," wrote the hacker on the forum, adding: "The data was later destroyed by ransomware, and server taken down soon after." Most of the published data showed the users' name, email addresses, (language) locale settings, and a hashed password string or Google access token. However, the data of nearly 120,000 users contained "password strings that appear to have been hashed using the Bcrypt algorithm, suggesting these are users who registered an account on the Lumin PDF website." Google has been made aware of the incident, including the leaked access tokens, which can "allow malicious threat actors to pose as legitimate users and access Google Drive accounts." Lumin PDF users are advised to revoke the app's access to their Google Drive account (instructions are also on the Google Drive support page): - On your computer, go to drive.google.com. - Click the cog (settings) icon in the top-right menu bar. - Click the Settings option in the drop-down menu. - Click Manage apps in the side-menu - Next to the app, click Options. - Click Disconnect from Drive.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203