Google Drive Accounts Might Be at Risk Due to the Lumin PDF Data Breach

Lumin PDF, or Lumin PDF Viewer, is a popular tool that allows opening, editing, and also sharing PDF (Portable Document Format) files directly via a chosen web browser. It allows users to highlight and underline, erase, or add text, draw lines and shapes, add digital signatures, and also create comments. It is popular among Google Drive and Gmail users, who can choose to open and edit any PDF file using the tool once it is permitted to connect to the account. This tool is popular because it makes it possible to manipulate PDF documents without having to download them first. Unfortunately, not everything that makes out lives more convenient is also what is good for us. Although it is most likely that those using the application are safe, it is also possible that their accounts could have become vulnerable. Please continue reading if you want to learn more about the alleged Google Drive data breach.

Lumin did not report the incident

According to a ZDNet report, an insider warned their researchers that data of 24.3 million Lumin users was leaked online, when it was shared as a CSV file via an underground hacking forum. The insider – who also appears to be the hacker, who exploited a MongoDB database vulnerability to steal the data – claims to have reached out to Lumin on several different occasions within a period of five months to warn the company about the security flaw, but no response was received. ZDNet broke the news and reached out to both Lumin and Google, who, apparently, had launched their own investigations into the incident by that time. So, was Lumin hiding a data breach? In fact, was there a data breach? According to Max Ferguson, the CEO of Lumin – who was approached by Cimpanu Catalin – the hackers behind the attack could not have exploited Google access tokens, which were included in the leaked document, because they were expired by the time the breach occurred. Therefore, according to Lumin, the Google Drive data breach could not have happened. Can we trust these claims? Only time will tell.

What are Google access tokens and how can they be exploited

When you choose to view a PDF file stored on Google Drive using Lumin PDF for the first time, you are informed that “Lumin needs access to Google Drive to open file,” and you are introduced to the Connect To Google Drive button. When you click it, you have to choose the right Google account, and then you are asked to enable certain permissions. First, you are asked to allow the tool to see your files, download your files, as well see the names and email addresses of those who have access to those files. The tool also wants permission to view, create, edit, and delete configuration data on Google Drive. Finally, Lumin PDF needs to save files, create new files, view folders and their content, and make changes within folders, which includes deleting content. If you allow these actions, you are asked to confirm your decision once more, and you are informed that Lumin PDF can associate you with your personal info on Google, see personal information, and view your email address.

Once all permissions are granted, whether you try to open files from OneDrive, Dropbox, Gmail, or Google Drive, you are redirected to That means that Lumin PDF operates from its own website rather than the platform that your file was stored on originally. When the 2.25 BG ZIP file containing the CVS file with Lumin PDF users’ information was leaked, anyone was able to access their names, email addresses, geo-locations, as well as the Google access token. According to Auth0, an access token is a component that allows an application to authorize access to the API (application programming interface). Basically, the access token identifies the user during the login session. Theoretically, cyber attackers can exploit access tokens to hijack accounts, and that is why everyone started talking about a Google Drive data breach when it was discovered that Google access tokens were found in the leaked CSV file. If we believe Max Ferguson, these tokens were expired when they were leaked, and so you can choose to trust Lumin. Or you can remove the application’s permissions.

How to remove app permissions on Google Drive

  1. Go to Google Drive and log in.
  2. Click the Settings icon (gear) in the top-right corner.
  3. Click Settings.
  4. In the menu on the left, click Manage Apps.
  5. Find the app whose permissions you want to remove.
  6. Click the Options drop-down menu.
  7. Click Disconnect from Drive.

N.B. If you believe that Lumin PDF can be trusted, you can reconnect to the application anew after completing these steps.

How to secure the account after a Google Drive data breach

The jury is still out on whether or not a Lumin PDF data breach has caused a Google Drive data breach, but, of course, you want to be proactive. First, we recommend revoking the permissions of the app until you are 100% sure that it can be trusted. Unfortunately, other PDF viewers exist and can become vulnerable. Also, Google Drive could experience a data breach if security flaws are found on Google’s end. While there is a good chance that you will not experience a data breach associated with Lumin or Google Drive ever again, no one can predict when and how cybercriminals will attack next. Therefore, you need to take appropriate security measures, and you want to start with your Google Account.

Are you sure that your Google Account is secure? If you are not 100% sure, we recommend that you continue reading here. Google’s Security center also offers valuable information about your account, and this is where you can set up two-factor authentication, manage third-party access and connected devices, and do other things to secure your account. Note that setting up two-factor authentication is particularly important because you want to have an additional access token that would make it much harder (in many cases, impossible) for cybercriminals to hijack your Google account even if they have one access token. This is not all. If you really want your Google account protected, you need a strong and unique password. While in the case of the Lumin PDF incident, it did not matter how strong the password was, most data breaches occur due to weak passwords. If you are not sure if your Google password is weak, continue reading here.

November 19, 2019

Leave a Reply