[BreachExchange] Foxit Software reveals data breach that exposed users' email addresses, passwords and more

Tue Sep 3 09:57:00 EDT 2019

https://betanews.com/2019/08/31/foxit-software-security-breach/

Foxit Software has revealed that it "recently" suffered a security
breach in which private user data was exposed to unnamed third
parties. Those whose account have been affected are being contacted
and "encouraged to change their passwords".

The company -- famed for PDF applications such as Foxit Reader and
PhantomPDF -- does not say when the incident took place, nor how many
users are affected, but it explains that "My Account" section of user
accounts was exposed. This includes data such as email addresses,
passwords, users' names, phone numbers, company names and IP
addresses, but not payment information.

In emails sent out to those affected by the breach, Foxit fails to say
whether passwords were hashed and salted, or if they were stored in
plain text. The company explains that the "My Account" section is a
"free membership service that gives customers access to software trial
downloads, order histories, product registration information, and
troubleshooting and support information. The system holds users’
names, email addresses, company names, IP addresses, and phone
numbers, but does not hold other personal identification data or
payment card information. Foxit does not keep customer credit card
information in its systems".

The company warns users to be vigilant for phishing and identity theft.

In a statement posted on its website, Foxit says:

Foxit has determined that unauthorized access to its data systems took
place recently. Third parties have gained access to Foxit's "My
Account" user account data, which contains email addresses, passwords,
users' names, phone numbers, company names and IP addresses. No
payment information was exposed.

Foxit's security team has immediately launched a digital forensics
investigation. The company has invalidated the account passwords for
all potentially impacted accounts, requiring users to reset their
passwords to regain access to the My Account service. Foxit has
notified law enforcement agencies and data protection authorities and
is destined to cooperate with the agencies' investigations. In
addition, the company has hired a security management firm to conduct
an in-depth analysis, strengthen the company’s security posture and
protect against future cyber security incidents.

Foxit has contacted all affected users and informed them about the
risks and what steps to take to keep risks at a minimum.

On Twitter, Foxit Software faced criticism for limiting new passwords
to 20 characters:
@foxitsoftware max 20 chars!? REALLY!? You're doing it VERY VERY wrong!

This does NOT instill confidence, especially in the light of your
breach notification.

//cc @troyhunt

The company has also been criticized for failing to give details of
when the security breach took place, and ZDNet speculates that the
attack was a server hack rather than an example of credential
stuffing.