What happened
According to public breach records, the Nitro data breach on September 28, 2020 is reported to have exposed the personal information of 77,159,696 accounts.
In September 2020, the Nitro PDF service suffered a massive data breach which exposed over 70 million unique email addresses. The breach also exposed names, bcrypt password hashes and the titles of converted documents. The data was provided to HIBP by dehashed.com.
Passwords in this breach were reportedly stored as bcrypt hashes.
In September 2020, Nitro Software, maker of the Nitro PDF productivity suite, suffered a breach in which a database of 77,159,696 user records was stolen. The company initially disclosed it to the Australian Securities Exchange on October 21, 2020 as a low-impact security incident that it said did not affect customer data. The stolen database first surfaced when a threat actor auctioned it alongside about 1TB of documents for 80,000 dollars, and a threat actor linked to the ShinyHunters group later leaked the full database for free on a hacker forum. The exposed records contained email addresses, full names, and bcrypt-hashed passwords, and were notable for including accounts tied to large organizations such as Google, Apple, and Microsoft.
What data was exposed
The following types of personal data were compromised:
- Email addresses
- Names
- Passwords
Breach details
| Detail | Value |
|---|---|
| Breach name | Nitro |
| Date | September 28, 2020 |
| Accounts affected | 77,159,696 |
| Domain | gonitro.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Nitro; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your Nitro account password and any other account where you reused it; the passwords were bcrypt-hashed rather than plaintext, but hashes can still be cracked offline over time.
- Enable two-factor authentication on your Nitro account and on the email accounts that shared the same password.
- Be wary of unexpected emails referencing Nitro, PDFs, or document conversions, since the leaked name-plus-email pairs make targeted phishing easier.
- Use a password manager to set a unique password per account so one leaked credential cannot unlock the rest.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
- Hacker leaks full database of 77 million Nitro PDF user records (BleepingComputer)
- Have I Been Pwned: Nitro Data Breach
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →