On September 30, 2020, Nitro became aware of an isolated security incident involving limited access to Nitro databases by an unauthorized third party.
Upon learning about this incident, Nitro took immediate action to ensure the Nitro environment was secure and commenced an investigation with the support of leading cybersecurity and forensic experts. The investigation is now complete, and Nitro can provide further details:
- The incident involved access to specific Nitro databases, which support certain online services and have been used primarily for the storage of information connected with Nitro’s free online products.
- Nitro’s free online conversion service does not require users to create a Nitro account or to become a Nitro customer. Users are simply required to provide an email address to which converted files are delivered.
- There was no impact to Nitro Pro or Nitro Analytics.
- Exposed user data included user email addresses, full names, highly secure hashed and salted passwords, as well as document metadata in relation to the Nitro online services. A very small portion of the information included company names, titles, and IP addresses.
- Passwords were not impacted for users who access our cloud services via Single Sign-On (SSO).
- The investigation further identified limited activity by the unauthorized third party in a legacy cloud services location, impacting less than 0.0073% of stored data in this location. The activity suggests the unauthorized third party was specifically focused on obtaining data related to cryptocurrency.
Upon learning of this incident, Nitro conducted a forced password reset for all users to further secure customer accounts. In addition to this, general guidance to maintain good cyber hygiene includes:
- Changing online account passwords regularly, using a separate password for online banking, and using a password manager for remembering multiple passwords.
- Never emailing passwords for online accounts and confirming if online accounts are secure by visiting https://haveibeenpwned.com/.
- Enabling multi-factor authentication for online accounts where possible and ensuring up-to-date anti-virus software is installed on any device used to access online accounts.
Since the incident, the Nitro IT Security Team has been working closely with external cybersecurity experts to bolster the security of all systems, including enhanced logging, detection and alerting services in all regions, as well as increased data monitoring and re-evaluation of all protocols. The IT environment remains secure and Nitro has not seen any malicious activity since the incident.
Nitro takes the safety and security of our customers’ data seriously, and we are here to support our customers in any way that may be helpful. We encourage anyone with questions to contact incident@gonitro.com.