The details of over 24.3 million Lumin PDF users have been shared today on a hacking forum, ZDNet has learned from a source.
The hacker said they leaked the company’s data after Lumin PDF administrators failed to answer his queries multiple times over the past few months.
Lumin PDF is a little-known cloud-based service that lets users view, edit, and share PDF files using a web-based dashboard, inside a browser extension, or via the company’s mobile apps.
The service was founded in 2014, but most users are familiar with the company’s name, being one of the third-party PDF apps that Google Drive users can install on their accounts and open problematic PDF documents.
However, today, a hacker published a download link to the company’s entire user database. The hacker’s download link is for a 2.25GB ZIP file that holds a 4.06GB CSV file containing the user records of 24,386,039 LuminPDF users.
With the help of a source, ZDNet has obtained a copy of this archive and verified its authenticity with several Lumin PDF users.
For the vast majority of user records, the CSV file contains users’ full names, email addresses, gender, (language) locale settings, and a hashed password string or Google access token.
For most user entries, there’s a Google access token included in the leaked data, confirming that most Lumin PDF are using the service as an add-in Google Drive app.
However, for 118,746 users, the leaked Lumin PDF data contained password strings that appear to have been hashed using the Bcrypt algorithm, suggesting these are users who registered an account on the Lumin PDF website.
Hacker claims Lumin PDF ignored contact attempts
Writing on the forum, the hacker claimed to have obtained the data from a MongoDB database belonging to Lumin PDF that was left exposed online without a password back in April 2019.
“The unprotected database was found about 5 months ago,” the hacker wrote. “Vendor was contacted multiple times, but ignored all the queries.
“The data was later destroyed by ransomware, and server taken down soon after,” the hacker added.
Such destructive attacks on MongoDB servers aren’t new and have been happening since late 2016. Cybercriminals have made a habit out of accessing unprotected MongoDB databases, deleting their content, and leaving a ransom note behind hoping that a clueless victim would pay a ransom demand for data that doesn’t exist anymore.
The hacker, whose name we won’t be sharing in this article, did not make it particularly clear why they were sharing Lumin PDF’s user records, despite the Lumin PDF server and the data not being available anymore. At a first glance, this looks like petty revenge.
ZDNet reached out to Lumin PDF, but the company did not return a request for comment before this article’s publication.
What users can do
In the meantime, the most dangerous part of this leak is the presence of Google access tokens in the leaked data. These access tokens can allow malicious threat actors to pose as legitimate users and access Google Drive accounts.
ZDNet has notified Google of the leaked data and the presence of the leaked access tokens. A Google spokesperson said the company is investigating the incident.
In the meantime, to prevent any unauthorized access to Google Drive accounts, users who used Lumin PDF are advised to revoke the app’s access to their Google Drive account.
Instructions on how to do this are available in this Google Drive support page, and also below:
- On your computer, go to drive.google.com.
- Click the cog (settings) icon in the top-right menu bar.
- Click the Settings option in the drop-down menu.
- Click Manage apps in the side-menu
- Next to the app, click Options.
- Click Disconnect from Drive.