Foxit Software Breach Exposes Account Data

Foxit Software, the maker of popular PDF and document software, says account data was exposed after intruders gained access to its systems.

The company posted a security advisory on Friday that says attackers accessed "My Account" user data. Those registrations include email addresses, passwords, user names, phone numbers, company names and IP addresses, according to the advisory.

Foxit says a My Account registration allows customers to download trial software, access order histories, obtain product registration information along with support information. It claims that the registrations do not include "personal identification data" or payment card information, as it does not retain card information.

The company has initiated a password reset for the affected accounts. It also says it has begun notifying users. ZDNet published a screenshot of the email sent to affected users.

"Foxit has notified law enforcement agencies and data protection authorities and is destined to cooperate with the agencies' investigations," the company says in its advisory. "In addition, the company has hired a security management firm to conduct an in-depth analysis, strengthen the company's security posture and protect against future cyber security incidents."

Foxit Software's headquarters is in Freemont, Calif. Last year, the state passed one of the most comprehensive privacy and security laws in the U.S., although that law does not take effect until January (see Will California Privacy Law Be a Model for Other States?). Foxit's European headquarters is in Dublin, where it would be required to file a notification under the General Data Protection Regulation.

Large User Base, Including Banks

Foxit offers a suite of PDF tools that compete in part with those of Adobe Systems. While Foxit might not have the same name-brand recognition as Adobe, its tools are nevertheless widely used, with Foxit reporting that it has 100,000 customer organizations comprising 560 million users worldwide.

Users of Foxit's software include numerous banks. Laying the groundwork for the theft of $81 million from the central bank of Bangladesh in 2016, for example, hackers infected Bangladesh Bank systems with a Trojanized version of the Foxit PDF reader used by employees. The modified version allowed attackers to hide fraudulent transactions (see SWIFT Deduction: Assume You've Been Hacked).

Subsequently, threat-intelligence firm iSight Partners - part of FireEye - warned that Trojanized PDF-reading software had also been recovered from the networks of other targeted banks, including a bank in Vietnam. "The malware used to target the Vietnamese bank replaces Foxit's popular PDF reader software to mask records of SWIFT transactions when read," iSight Partners said. "When reports are read through the PDF reader, SWIFT records are altered to remove traces of fraudulent transactions."

Scant Breach Details

The software maker's public breach notification is light on details, which is not unheard of in the early days after breach. But Foxit doesn't say how many accounts were affected, although it says it has contacted all of those affected. It also doesn't specific the time period over which the exposed occurred or how it occurred.

Multiple efforts to reach a Foxit spokesperson or officials via corporate email addresses weren't immediately successful.

Foxit also doesn't give more detail about the circumstances under which the passwords were exposed. If the passwords were stored in plain text, that would mark a worst-case scenario.

Organizations typically hash passwords. Hashing involves running a plain-text password through an algorithm. The output gets stored in an organization's systems, which reduces the risk if the hash is compromised.

But some hashing algorithms are no longer considered secure because their output remains susceptible to rapid password guessing via dictionary attacks that can generate the corresponding hash.

Foxit has yet to publicly specify its hashing scheme.

Behind the Times?

Foxit does not appear to be sporting the latest security thinking, at least in practice. In days prior to the breach, for example, the company received a ribbing on Twitter for its password-reset system, which mandates that users set a password between six and 20 characters, that must include at least one number or special character.

As multiple experts have noted, such guidance doesn't conform to current password security recommendations. As such, it's a sign that Foxit may have missed some current, prevailing wisdom about password security. In updated guidance released two years ago, for example, the U.S National Institute of Standards and Technology says that passwords should have no fewer than eight characters.

On the upper bounds, NIST says service providers should support passwords up to at least 64 characters. Also, NIST revised its guidance to reject long-held password beliefs, including imposing composition rules and requiring users to arbitrarily change their passwords after a set period of time.