In October 2020, Nitro Software released a statement confirming it had experienced a "low-impact security incident." The company initially claimed that no customer data was impacted.

The Nitro PDF data breach is believed to have occurred in late August 2022, when an unauthorized party gained access to the company's systems. As a result, sensitive data, including customer names, email addresses, and hashed passwords, may have been accessed or stolen.

Today, Nitro Software still operates—it was acquired by a private equity firm in 2021 and continues to sell PDF tools. But for the 77 million users whose data was left exposed on the open internet, the company’s name will forever be linked to one of the most avoidable breaches in SaaS history.

If you’re a team leader, forward this to any employee who uses Nitro PDF. The biggest risk isn’t the breach itself—it’s reused passwords.

Though phone numbers were not explicitly confirmed in the primary dump, supplementary data leaks sometimes include them. Combined with personal details, this enables SIM-swapping attacks to bypass SMS-based two-factor authentication.

The compromised information was divided into two main categories: user account metadata and actual document contents. User Account Databases

Because Nitro PDF services are widely utilized in corporate environments, the breach did not just impact individual consumers. It compromised data belonging to some of the world's largest organizations, including tech giants, global financial institutions, and government agencies. Enterprise and Supply Chain Impact

Limit user and software permissions so that a breach in one department or application cannot easily lateral over to critical corporate servers.

The exposure of these companies highlighted a critical reality of modern cybersecurity: your enterprise security is only as strong as your least secure third-party vendor. 4. How the Breach Happened: The Attack Vector

A: Nitro has since patched the vulnerability, implemented stricter database access controls, and undergone external audits. As of 2024, no new breaches have been reported. However, no cloud service is 100% immune.

Crucially, Nitro stated that the affected database did not contain actual user or customer PDF documents. Timeline & Discovery

If you want to investigate how this breach might affect your current setup, let me know: Are you looking to ?