hamburger

BitDam Blog

How to Protect Yourself From The Lumin PDF Data Breach?
Roy Rashti
Roy Rashti
2 minutes & 3 seconds read · October 17, 2019

How to Protect Yourself From The Lumin PDF Data Breach?

If you’re reading this, you’ve probably heard about the recent data breach from Lumin PDF, exposing sensitive information of millions. Keep reading to learn more about this breach and what actions you should take to protect yourself.

What’s Lumin PDF?

Lumin PDF is a cloud-based platform to view, edit and share PDF files. Lumin owes a portion of its success to Google, who offers Lumin as a third-party application to open PDF files directly from Google Drive.

What happened?

Last month, a hacker published the details of over 24 million Lumin PDF users.

Unlike other breaches that find their way into the headlines, this breach lacked zero-day and sophisticated phishing attacks. The hacker who published the database claimed, Lumin sorted this information in an online, non-password-protected MongoDB database. This allowed any basic crawler to access the information.

The leaked information contained fields such as name, gender, hashed passwords and Google access tokens – a gold mine for hackers.

What exactly is a hashed password?

Hash is a function that uniquely maps a password into a value. Luckily, a well-defined hash function cannot be reversed. It would take an extensive amount of time and compute to reverse a hash to the original password.

What are the risks here? And how to protect?

  • The most sensitive data exposed in this breach were the hashed passwords and the access tokens. Although the leaked passwords were not the originals, but rather the hashed value of those passwords, making the risk is still high. Why? Attackers can use the hashed Lumin password to authenticate and access other services where the user uses the same password and applies the same hashing algorithm. This depends on how the application is implemented.

To protect yourself, it is highly recommended to use different passwords for different services. In the case you used your Lumin credentials elsewhere, you should change your password.

  • Lumin claims the leaked Google access tokens are expired. To avoid any uncertainty, you can revoke Lumin’s access to your Google account.

 

Keep in mind, most data leaks do not happen as a result of an unsecure database, rather following a successful cyber attack. This is typically seen as a trojan or a credential harvesting phishing website, most commonly delivered via email.

To ensure your data is protected, you should constantly test your security posture. There are some great online tools available. One of them, focusing on email breach and attack simulation can be launched here.