Foxit Software, the company behind the Foxit PDF reader app, said today that hackers breached its servers and have made off with some user information.
ZDNet learned of the breach from a Foxit customer who shared a copy of the email the company is sending out to affected users, asking them to choose new passwords when logging in the next time.
According to this email, the security breach impacted the company’s website, and, namely, information stored in the My Account section.
Foxit web accounts are how the company manages its existing customers and is where users can access trial software, download purchased products, and access order histories.
Foxit said hackers managed to access MyAccount data such as email addresses, passwords, real names, phone numbers, company names, and IP addresses from which users logged into their accounts.
Due to the presence of IP addresses in the data hackers managed to access, this is believed to be a breach of Foxit’s backend infrastructure, rather than a credential stuffing attack.
A Foxit spokesperson could not be reached for additional clarification.
Were the passwords hashed or in plaintext?
The biggest mystery is if Foxit had protected customer passwords through a process called hashing and salting. Hashing and salting a password string prevents an attacker from being able to read it in plaintext.
The email sent to customers and a security advisory posted on the Foxit Software website did not mention if passwords were either hashed and salted.
The software maker said it invalidated all passwords for customers who it believed were impacted by the security breach.
However, if the passwords were available in cleartext, then attackers can use them to gain access to users’ accounts on other websites if users made the mistake of reusing passwords.
Foxit also didn’t date the security incident, and it’s currently unknown if the breach occurred this week, last month, or in previous years. If this is an old breach that has only been recently discovered, than hackers might have had a huge head start in abusing the stolen data.
The company did say, however, that hackers didn’t access any financial information. It also said it’s working with a forensic firm to investigate further, and that it notified law enforcement and data protection authorities.
Foxit Software should not be confused with Fox-IT, a cyber-security firm with a similar name, which had its own cyber-security incident in December 2017.