The Customers of Foxit Software Are Warned About a Data Breach That Exposed Passwords

Foxit Software has disclosed that it was recently a victim of a security breach in which private user data was left unprotected with an unknown third party. The people whose accounts were affected have been contacted and told to change their passwords for security reasons.

Foxit Software, which is known for PDF applications like Foxit Reader and PhantomPDF, did not specify when the incident happened, nor how many of their clients were exposed, but it did say that the "My Account" section of user accounts was breached by the hackers. This section includes info like email addresses, passwords, users' names, phone numbers, company names, and IP addresses. Thankfully, it does not include payment information.

Foxit neglected to disclose whether passwords were hashed and salted, or if they were saved as plain text in the emails sent out to the people affected by the data breach, which is worrisome. The company said that the "My Account" section is a "free membership service that gives customers access to software trial downloads, order histories, product registration information, and troubleshooting and support information. The system holds users' names, email addresses, company names, IP addresses, and phone numbers, but does not hold other personal identification data or payment card information. Foxit does not keep customer credit card information in its systems".

Foxit warned its clients to stay vigilant for phishing and identity theft.

In another statement posted on its website, the company stated this:

"Foxit has determined that unauthorized access to its data systems took place recently. Third parties have gained access to Foxit's 'My Account' user account data, which contains email addresses, passwords, users' names, phone numbers, company names, and IP addresses. No payment information was exposed.

Foxit's security team has immediately launched a digital forensics investigation. The company has invalidated the account passwords for all potentially impacted accounts, requiring users to reset their passwords to regain access to the My Account service. Foxit has notified law enforcement agencies and data protection authorities and is destined to cooperate with the agencies' investigations. In addition, the company has hired a security management firm to conduct an in-depth analysis, strengthen the company's security posture, and protect against future cyber security incidents.

Foxit has contacted all affected users and informed them about the risks and what steps to take to keep risks at a minimum."

Foxit Software experienced heavy criticism for limiting new passwords to only 20 characters on Twitter.

September 11, 2019