Foxit Software Breach Exposes Account Data

Foxit says a My Account registration allows customers to download trial software, access order histories, obtain product registration information along with support information. It claims that the registrations do not include “personal identification data” or payment card information, as it does not retain card information.

The company has initiated a password reset for the affected accounts. It also says it has begun notifying users. ZDNet published a screenshot of the email sent to affected users.

“Foxit has notified law enforcement agencies and data protection authorities and is destined to cooperate with the agencies’ investigations,” the company says in its advisory. “In addition, the company has hired a security management firm to conduct an in-depth analysis, strengthen the company’s security posture and protect against future cyber security incidents.”

Foxit Software’s headquarters is in Freemont, Calif. Last year, the state passed one of the most comprehensive privacy and security laws in the U.S., although that law does not take effect until January (see Will California Privacy Law Be a Model for Other States?). Foxit’s European headquarters is in Dublin, where it would be required to file a notification under the General Data Protection Regulation.

Large User Base

Foxit offers a suite of PDF tools that compete in part with those of Adobe Systems. While it doesn’t quite have the same recognition as Adobe, its tools are widely used. Foxit says it has 100,000 customers comprising 560 million users worldwide.

Its public breach notification is short on details, which is not unheard of in the early days after breach. But Foxit doesn’t say how many accounts were affected, although it says it has contacted all of those affected. It also doesn’t specific the time period over which the exposed occurred or how it occurred.

Efforts to reach a Foxit spokesperson or officials via the company’s security and data protection emails weren’t immediately successful.

Foxit also doesn’t give more detail about the circumstances under which the passwords were exposed. If the passwords were stored in plain text, that would mark a worst-case scenario.

Organizations typically hash passwords. Hashing involves running a plain-text password through an algorithm. The output is stored in an organization’s systems, which reduces the risk if the hash is compromised.

Certain hashing algorithms are considered no longer secure because it is possible to rapidly guess passwords using dictionary attacks that could result in the corresponding hash. Foxit didn’t specify its hashing scheme.

Behind the Times?

Foxit has recently taken a bit of ribbing on Twitter for its password reset system, which mandates that users set a password between six and 20 characters, that must include at least one number or special character. As multiple experts have noted, such guidance doesn’t conform to current password security recommendations.

That’s a sign that Foxit may have missed some of the prevailing wisdom about password security. In updated guidance released two years ago, for example, the U.S National Institute of Standards and Technology says that passwords should have no fewer than eight characters.

On the upper bounds, NIST says service providers should support passwords up to at least 64 characters. Also, NIST revised its guidance to reject long-held password beliefs, including imposing composition rules and requiring users to arbitrarily change their passwords after a set period of time.