A spate of data breaches in the past year has refocused user attention on online security, particularly on cloud platforms.
Cloud storage has become standard in recent years as a way to keep documents and projects conveniently synced and accessible across devices. Computer hard disks can be damaged and smartphones can be lost, but files stored in the cloud can be accessed simply by having an internet connection. Typically, cloud storage is secured with multi-factor authentication and automatic security notifications when suspicious activity is detected. These steps help protect your files or data from getting into the wrong hands.
However, no system is perfect, and cloud data breaches confirm that. When the massive data breach at Dropbox happened in 2012, few people understood its severity. It was only announced four years later that hackers tapped into more than 68 million personal accounts – accessing data like email addresses and passwords – representing nearly 5 gigabytes of data. In January 2019, Apple announced that a bug in its platform had resulted in exposed iCloud user data.
Following on the heels of the iCloud breach, hackers compromised Lumin PDF’s contact database in late 2019, resulting in the exposure of Lumin users’ non-sensitive details, such as gender and name. Several months later, the company reports that they have tightened security around the platform to safeguard their users’ privacy.
Is Lumin PDF safe? Recent update
Lumin PDF stores user data on the MongoDB database. Currently, it’s one of the most popular NoSQL databases, used by Google, Adobe, Paypal, and many others. Among MongoDB’s strengths are a flexible data model, excellent query performance, and high scalability. As a rule, it’s a high-database for a variety of projects across industries.
What was not known about MongoDB initially is that it had been operating using outdated instances that opened its clients up to attack. David Kirkpatrick, security expert at SpiderLabs, says MongoDB’s multiple interfaces are inherently weak. “By default, the service will bind to all available interfaces, which can be problematic. You could essentially expose the whole database to a less trusted DMZ," says Kirkpatrick. Furthermore, the IT giant failed to provide an authentication mechanism when used in certain modes.
The results of MongoDB’s negligence were catastrophic. In 2019, scores of companies that had been running on the server became the victims of a chain of attacks by cybercriminals who deleted data from the original database after copying it to their own servers. In the resulting breaches, the records of over 800 million users were stolen and held for ransom in Bitcoin. As companies rushed to meet the hackers’ demands, it quickly became clear that the hackers did not intend to return all data. Many companies that handed over the ransoms were rewarded with empty databases despite meeting the demands of the cybercriminals. Other companies, wary of falling into the same trap, refused to negotiate with the hackers.
After attacks on Mongo databases, hackers successfully diversified efforts to many other servers, including Hadoop, Cassandra, ElasticSearch, MySQL, and CouchDB.
MongoDB, Inc., the company behind Mongo databases has since fixed this security issue by releasing a new MongoDB 2.6.0 database version accessible only by local connections.
Lumin PDF breach: Summary
When Lumin PDF announced the data breach, many users of the Lumin PDF extension and Lumin PDF app panicked, thinking that their Google Drive was hacked. These fears, thankfully, were ungrounded. Ferguson later confirmed the hackers had been successful in accessing only users’ names, email addresses, gender, and language settings. Credit card details and passwords remained secure.
The leaked data was from a software application that is used by the Lumin PDF team to test new features. As a result, the leaked data was at least 8 months old. Google access tokens allowing users to access their Google Drive accounts included in the leak expire about one hour after their creation, so their was no risk that any files were compromised. Because of this, the attackers gained access to a very limited range of data. Lumin’s security system blocking access to all user documents, signatures, and sensitive data remained uncompromised.
Lumin PDF reviewed the incident right away, implementing strong internal security policies to prevent any similar incident being repeated. Since the breach, the Lumin PDF security team took a serious look at how they could put more teeth in their security stance. “We are always reviewing how we can strengthen protection around our databases. We employ encryption and role-based access control, as well as a rigorous set of security policies,” says Lumin PDF’s CEO, Max Ferguson. “We’ve implemented multi-layered security, a strategy that protects data by multiple strong layers of security. Out of all the companies that were targeted in the MongoDB breaches, a significant number of them are also implementing these measures.”
Lumin moved immediately to fortify its cybersecurity defenses with:
- Role-based access control intensified. Lumin has heightened authentication requirements at the same time as narrowing access controls. This reduces the risk of a breach internally.
- Transport Layer Security implemented. Cybercriminals use a man-in-the-middle attack (MITM) to covertly intercept communications between two parties. Sometimes, they then alter this information without the receiving party catching on. Following the Lumin PDF security breach, the company added Transport Layer Security (TLS) onto its existing encryption. TLS is widely considered superior to other types of encryption due to its simultaneous utilization of two kinds of encryption: private key and symmetric. Secured doubly, it is able to securely send sensitive data. At the same time, TLS reduces response times by detecting possible message tampering and notifying the system automatically.
- Multi-layer encryption launched. Lumin PDF users now have every bit of their data doubly protected with secure session tokens. If a hacker succeeds in breaching the first layer of security around the database, data will remain protected by the encrypted session tokens.
- Continuous system auditing implemented. Lumin PDF has enabled round-the-clock monitoring of suspicious activity. If the system detects any unusual events, it is set to notify admins immediately and it records audit events in a file or a syslog connection. A security information and event management tool (SIEM) then analyzes security events occurring on the network and identifies in real time malicious activity.
- Tightened firewall protection. Beefed up firewall protection protects Lumin PDF servers and databases.
- Clearer link sharing policies. Now when users create a new file, they reconfirm their sharing settings each time. This helps users avoid unintentionally sharing a document.
Risk is an inherent part of technology use, whether data is being stored locally or in the cloud. Shuman Ghosemajumder, Global Head of Artificial Intelligence at F5, the expectation of 100% security “untenable” because of how rapidly hackers evolve their attacks. Ultimately, the most important factor in data security is the willingness of an organization to consistently reevaluate its security stance.
At the same time, it’s essential to assess risk wisely for any platform before you use it. Is Lumin PDF safe? This is a smart question to ask before entrusting your documents to any cloud platform.
Lumin PDF’s intensified security measures show that the company is not taking user security lightly - and that seems to be reflected in the results. There have not been any further incidents and, if the past year is any indicator, there won’t be.