Users of software house Foxit's free and paid-for products, including its popular PhantomPDF editor, may have fallen victim to a data breach – with stolen data including users' website passwords.
Foxit admitted to the breach earlier today, stating that "third parties" had gained access to its My Account user data.
That data was comprised of "email addresses, passwords, users' names, phone numbers, company names and IP addresses" but not payment card information. The Register has asked Foxit's people whether the passwords were hashed and salted and will update this article when they respond.
The firm has "launched a digital forensics investigation" and forced password resets on all of the affected users. A US company registered in the state of California, Foxit said it had informed local law enforcement and data protection authorities.
Foxit is also enforcing password resets on its users with a hard 20-character length limit, saying this would make new passwords "strong enough".
Sorry for the inconvenience. Please make sure your password is between 8-20 characters long, include both lower and upper case characters, and include at least one number or special character. Then it will be strong enough.— Foxit Software (@foxitsoftware) August 30, 2019
Foxit is best known for its PhantomPDF product, which lets users create and, vitally, edit PDF files without needing to buy Adobe's painfully expensive Acrobat suite. PhantomPDF's consumer and enterprise versions are free for the first 30 days provided you register an account with Foxit – and hand over all the details that person or persons unknown illegally accessed.
The standard advice after a password breach, aside from resetting the password, is to keep an eye on your bank statements and credit score in case any unauthorised transactions or other sudden changes show up, such things being a key indicator of potential identity theft.
Most important is that any passwords you may have reused on Foxit's website are immediately reset too. Credential stuffing is an ever-popular account compromise method among cybercrooks and if Foxit's password cache was indeed neither salted nor hashed, this could be severely problematic for its customers. ®