Foxit Software reveals data breach that exposed users' email addresses, passwords and more
Foxit Software has revealed that it "recently" suffered a security breach in which private user data was exposed to unnamed third parties. Those whose account have been affected are being contacted and "encouraged to change their passwords".
The company -- famed for PDF applications such as Foxit Reader and PhantomPDF -- does not say when the incident took place, nor how many users are affected, but it explains that "My Account" section of user accounts was exposed. This includes data such as email addresses, passwords, users' names, phone numbers, company names and IP addresses, but not payment information.
- Web host Hostinger resets 14 million customer passwords following data breach
- Personal details of 106 million Americans and Canadians stolen in huge Capital One data breach
- Slack resets hundreds of thousands of passwords following data breach
In emails sent out to those affected by the breach, Foxit fails to say whether passwords were hashed and salted, or if they were stored in plain text. The company explains that the "My Account" section is a "free membership service that gives customers access to software trial downloads, order histories, product registration information, and troubleshooting and support information. The system holds users’ names, email addresses, company names, IP addresses, and phone numbers, but does not hold other personal identification data or payment card information. Foxit does not keep customer credit card information in its systems".
The company warns users to be vigilant for phishing and identity theft.
In a statement posted on its website, Foxit says:
Foxit has determined that unauthorized access to its data systems took place recently. Third parties have gained access to Foxit's "My Account" user account data, which contains email addresses, passwords, users' names, phone numbers, company names and IP addresses. No payment information was exposed.
Foxit's security team has immediately launched a digital forensics investigation. The company has invalidated the account passwords for all potentially impacted accounts, requiring users to reset their passwords to regain access to the My Account service. Foxit has notified law enforcement agencies and data protection authorities and is destined to cooperate with the agencies' investigations. In addition, the company has hired a security management firm to conduct an in-depth analysis, strengthen the company’s security posture and protect against future cyber security incidents.
Foxit has contacted all affected users and informed them about the risks and what steps to take to keep risks at a minimum.
On Twitter, Foxit Software faced criticism for limiting new passwords to 20 characters:
@foxitsoftware max 20 chars!? REALLY!? You're doing it VERY VERY wrong!
This does NOT instill confidence, especially in the light of your breach notification.
— Ian.H (@icawebdesign) August 30, 2019
The company has also been criticized for failing to give details of when the security breach took place, and ZDNet speculates that the attack was a server hack rather than an example of credential stuffing.