Google Drive Accounts Might Be at Risk Due to the Lumin PDF Data Breach

Lumin PDF, or Lumin PDF Viewer, is a popular tool that allows opening, editing, and also sharing PDF (Portable Document Format) files directly via a chosen web browser. It allows users to highlight and underline, erase, or add text, draw lines and shapes, add digital signatures, and also create comments. It is popular among Google Drive and Gmail users, who can choose to open and edit any PDF file using the tool once it is permitted to connect to the account. This tool is popular because it makes it possible to manipulate PDF documents without having to download them first. Unfortunately, not everything that makes out lives more convenient is also what is good for us. Although it is most likely that those using the application are safe, it is also possible that their accounts could have become vulnerable. Please continue reading if you want to learn more about the alleged Google Drive data breach.

Lumin did not report the incident

According to a ZDNet report, an insider warned their researchers that data of 24.3 million Lumin users was leaked online, when it was shared as a CSV file via an underground hacking forum. The insider – who also appears to be the hacker, who exploited a MongoDB database vulnerability to steal the data – claims to have reached out to Lumin on several different occasions within a period of five months to warn the company about the security flaw, but no response was received. ZDNet broke the news and reached out to both Lumin and Google, who, apparently, had launched their own investigations into the incident by that time. So, was Lumin hiding a data breach? In fact, was there a data breach? According to Max Ferguson, the CEO of Lumin – who was approached by Cimpanu Catalin – the hackers behind the attack could not have exploited Google access tokens, which were included in the leaked document, because they were expired by the time the breach occurred. Therefore, according to Lumin, the Google Drive data breach could not have happened. Can we trust these claims? Only time will tell.

What are Google access tokens and how can they be exploited

When you choose to view a PDF file stored on Google Drive using Lumin PDF for the first time, you are informed that “Lumin needs access to Google Drive to open file,” and you are introduced to the Connect To Google Drive button. When you click it, you have to choose the right Google account, and then you are asked to enable certain permissions. First, you are asked to allow the tool to see your files, download your files, as well see the names and email addresses of those who have access to those files. The tool also wants permission to view, create, edit, and delete configuration data on Google Drive. Finally, Lumin PDF needs to save files, create new files, view folders and their content, and make changes within folders, which includes deleting content. If you allow these actions, you are asked to confirm your decision once more, and you are informed that Lumin PDF can associate you with your personal info on Google, see personal information, and view your email address.

Once all permissions are granted, whether you try to open files from OneDrive, Dropbox, Gmail, or Google Drive, you are redirected to luminpdf.com. That means that Lumin PDF operates from its own website rather than the platform that your file was stored on originally. When the 2.25 BG ZIP file containing the CVS file with Lumin PDF users’ information was leaked, anyone was able to access their names, email addresses, geo-locations, as well as the Google access token. According to Auth0, an access token is a component that allows an application to authorize access to the API (application programming interface). Basically, the access token identifies the user during the login session. Theoretically, cyber attackers can exploit access tokens to hijack accounts, and that is why everyone started talking about a Google Drive data breach when it was discovered that Google access tokens were found in the leaked CSV file. If we believe Max Ferguson, these tokens were expired when they were leaked, and so you can choose to trust Lumin. Or you can remove the application’s permissions.

How to remove app permissions on Google Drive

  1. Go to Google Drive and log in.
  2. Click the Settings icon (gear) in the top-right corner.
  3. Click Settings.
  4. In the menu on the left, click Manage Apps.
  5. Find the app whose permissions you want to remove.
  6. Click the Options drop-down menu.
  7. Click Disconnect from Drive.

N.B. If you believe that Lumin PDF can be trusted, you can reconnect to the application anew after completing these steps.

How to secure the account after a Google Drive data breach

The jury is still out on whether or not a Lumin PDF data breach has caused a Google Drive data breach, but, of course, you want to be proactive. First, we recommend revoking the permissions of the app until you are 100% sure that it can be trusted. Unfortunately, other PDF viewers exist and can become vulnerable. Also, Google Drive could experience a data breach if security flaws are found on Google’s end. While there is a good chance that you will not experience a data breach associated with Lumin or Google Drive ever again, no one can predict when and how cybercriminals will attack next. Therefore, you need to take appropriate security measures, and you want to start with your Google Account.

Are you sure that your Google Account is secure? If you are not 100% sure, we recommend that you continue reading here. Google’s Security center also offers valuable information about your account, and this is where you can set up two-factor authentication, manage third-party access and connected devices, and do other things to secure your account. Note that setting up two-factor authentication is particularly important because you want to have an additional access token that would make it much harder (in many cases, impossible) for cybercriminals to hijack your Google account even if they have one access token. This is not all. If you really want your Google account protected, you need a strong and unique password. While in the case of the Lumin PDF incident, it did not matter how strong the password was, most data breaches occur due to weak passwords. If you are not sure if your Google password is weak, continue reading here.

By Foley
November 19, 2019
News
English
November 19, 2019
News

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

News

Google Reveals a New Google+ Data Breach and a New Shutdown Date

In early 2018, Google launched what it called Project Strobe – a thorough review of how third-party apps and consumers engage with the search engine giant's services. After carefully poking through Google+, Mountain... Read more

December 12, 2018
How To

How to Delete Google Accounts from Android Smartphones

Did you know that can add and remove accounts to your Android devices (like your smartphone or your tablet? Well, it's true. Whenever decide to add a new account or remove an existing one, the information related to... Read more

February 1, 2019
News

A New Data Breach Affects Multiple Online Casinos

In theory, the constant stream of news about leaked data should raise awareness not only among users but also among service providers who can take these incidents as valuable lessons and learn from other people's... Read more

January 22, 2019
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.