Blog detail


May 06, 2020

Is Lumin safe? Our robust new security stance


Data breaches are nothing new, yet they are never good news. A Lumin security breach in 2019 left many users wondering if Lumin is safe. So, how secure is Lumin? And is the Lumin PDF mobile app safer or is the Lumin PDF editor safe in the web browser, as well?

In a slew of hacker attacks in 2019, cloud-based editing platform Lumin was targeted alongside other large companies and a portion of its database was breached. Ultimately no sensitive user data was compromised, but what has the company changed to prevent a similar breach from happening in the future? We’ll dig into that question and explore how safe your data is in Lumin.

The Lumin data breach and why it happened

Cybercriminals are growing more sophisticated in their tactics to overcome security measures. Data platform Statista reports that 2019 was the biggest year for cyberattacks on the record. A massive 400 billion user records had been compromised by cybercriminals by the end of the year. Among the companies hit were Amazon, Apple, and two third-party data collection providers for Facebook. By comparison, 85.6 million records were exposed in 2014. In spite of evolving security, hackers pose an even bigger threat now than ever.  

Many of the attacks that were carried out in 2019 occurred in companies that had been using the MongoDB data storage platform. This platform is widely used by well-known companies from many industries because of its benefits in flexibility, scalability, and query performance.

Yet in the wake of this string of attacks, it became clear that these organizations’ trust in the MongoDB database was misplaced. MongoDB continued to offer a version running outdated instances, meaning that organizations had unintentionally left their servers exposed at some points.

It was these old instances, deployed on the cloud, that weakened the security stance of hacked companies, says Victor Gevers, a GDI Foundation security researcher. "The Mongo databases most vulnerable to attacks are located on the AWS platform," explained Gevers. "About 78% of all these hosts were running known vulnerable versions that are older DB instances." Lack of authentication when operating in shared mode was another problem. 

These failings were eventually revealed, but only after hackers had already successfully attacked dozens of companies. The pattern of the attack was the same in nearly every case: the hackers first copied the user data to which they had gained access. Then they deleted the original data from the targeted server and demanded payment in Bitcoin in exchange for returning the data to companies. The data of over 800 million users was essentially held hostage in this way. However, the hackers had more tricks up their sleeve. 

Many companies paid the ransom immediately and some of them received their data, as promised. Others did not. The cybercriminals behind the attacks were extorting huge sums of money from desperate companies and leaving the databases of those companies as empty as before. Once news spread of this trick, companies that had been newly attacked began to rethink paying the Bitcoin ransom. Some of them outright refused. Lumin had only non-sensitive user data like name and gender exposed to hackers. The hackers were not able to delete Lumin sensitive data in the security breach. Knowing this, the company made a choice to not cooperate with the hackers.

Later, the hackers expanded their attacks to ElasticSearch, Hadoop, CouchDB, Cassandra, and MySQL servers.

Lumin PDF safety and privacy review

Following the Lumin data breach, the company has ramped up its security to ensure continued protection for user data. CEO Max Ferguson stresses that Lumin’s safety commitment to users is strong.

"We are continually thinking about how to better protect our data, using techniques like encryption and role-based access control," says Max Ferguson, CEO of Lumin. "Our first move was to implement a multi-layered strategy where data is protected by many strong layers of security technology. Many of the targeted companies are doing the same."

Lumin’s new security stance involves additional measures to secure both users’ personal accounts and the company servers. These include:

  • Heightened role-based access control. Lumin has intensified authentication requirements and narrowed access controls to limit the risk of any internal breach.
  • Implemented Transport Layer Security. A man-in-the-middle attack (MITM) occurs when a cybercriminal secretly intercepts and/or alters private communications between two parties. Lumin strengthened its encryption following the attack with Transport Layer Security (TLS). This type of encryption ensures that it is safe to allow Lumin access to all files. It has advantages over many others because it utilizes both symmetric encryption and public key encryption to securely send private data and automatically detects and notifies the system if message tampering is suspected.
  • Launched multi-layer encryption. Lumin now uses secure session tokens which protect the contents of the database in the event that a hacker succeeds in breaching the first layer of database security.
  • Continuous system auditing. Configuring system auditing, audit events can be written either to a syslog connection or to a file. These events can then be sent to a more robust log aggregator or, better yet, to a security information and event management tool (SIEM). A SIEM provides real-time analysis of security events throughout the network to identify malicious activity.
  • Increased firewall protection. Lumin has doubled down on its firewall protection around all its servers and database.
  • Tightened link sharing policies. To help users avoid accidental document sharing, Lumin now requires users to individually confirm their sharing settings for each file. 

With these measures added on top of Lumin PDF’s original security measures, users can use the Lumin viewer safely both on their web browsers and via mobile app.

Digital technology and risk go hand in hand. That’s a fact of the digital world, regardless of security measures in place. Cybercriminals evolve their tactics quickly, which is why cyberattacks continue to happen in spite of security measures. However, there are steps all users can take to ensure the least risk to their data. It’s important to evaluate the security stances of cloud platforms you use and opt for those that frequently review their policies. Lumin has proven the strength of its commitment to transparency and security with its strengthened security policy.

Share this


Lumin loading logo