Australian document productivity company Nitro Software Inc. has suffered a data breach with customer data being offered for sale on the dark web.

The company, which provides services to much of the Fortune 500, was hacked sometime earlier this month. In a statement last week to the Australia Stock Exchange, Nitro advised that they had been impacted by a “low impact security incident” involving “limited access to a Nitro database by an unauthorized third party.”

“Low impact” is an interesting choice of words. According to Bleeping Computer, the data stolen included the company’s user and document databases along with 1 terabyte in documents created by Nitro’s customers.

The data, offered at a starting price of $80,000 on a dark web site is said to include 70 million user records containing email addresses, full names, bcrypt hashed passwords, titles, company names, IP addresses and other system-related data.

Data breaches in 2020 are a dime a dozen, but where this becomes more interesting than others is that Nitro clients include Google LLC, Apple Inc., Amazon.com Inc., Microsoft Corp., JPMorgan Chase & Co. and Citigroup Inc. Among the stolen data is tens of thousands of accounts and documents linked to those companies, including financial reports, merger and acquisition activities, nondisclosure agreements and product release details.

In the words of Bleeping Computer, “this could be one of the worst corporate data breaches we have seen in a while.”

Officially, Nitro is downplaying the data breach, saying in a statement that “Nitro continues to investigate an isolated security incident involving limited access to a Nitro database by an unauthorized third party. The database does not contain user or customer documents, which are hosted in a separate database.”

“While we don’t know how the data breach involving the Nitro PDF service may have come about, it’s likely from phishing campaigns and stolen credentials, or from exploiting vulnerabilities in applications, as these are the two most common sources of breaches,” Jayant Shukla, chief technology officer and co-founder of application security firm K2 Cyber Security Inc., told SiliconANGLE.

“To protect themselves, organizations need to make sure that not only are they using phishing detection and training employees to recognize phishing, they also need to make sure they have defense in depth for all of their applications, data and assets that are internet-facing,” Shukla explained. “This includes making sure their devices and software are up to date and patched, and they have runtime application security in place for their applications.”

Equally important, he added, organizations need to make sure they vet the security of the many partners and third party organizations that they depend on as thoroughly as they vet their own security infrastructure.

On a day the Australian Stock Exchange All Ordinaries was down 1.9%, the share price of Nitro fell almost 4% as of 1:52 p.m. AEDT (10:52 p.m. EDT).

Image: Nitro Software