Explore all blogs

Is Lumin safe? Our robust new security stance


Lumin staff


Apr 15, 2024



read time

3 mins

blue and black line illustration of a padlock against a light blue background

A Lumin security breach in 2019 left many users wondering: is Lumin safe to use? Here’s how we’ve improved our security since this incident.

Table of Contents

  • 1. Lumin’s safety and privacy review

  • 2. Do Lumin users need to worry?

  • 3. Lumin’s new security stance

  • 4. What caused the Lumin data breach?

  • 5. Was I affected by the Lumin data leak?

  • 1. Lumin’s safety and privacy review
  • 2. Do Lumin users need to worry?
  • 3. Lumin’s new security stance
  • 4. What caused the Lumin data breach?
  • 5. Was I affected by the Lumin data leak?

share this post

A slew of hacker attacks in 2019 targeted several large companies including Lumin. A portion of our database was breached, but ultimately no sensitive user data was compromised.

We took this event extremely seriously, and have put multiple new safeguards in place to prevent something similar happening again. 

Lumin’s safety and privacy review

Following the data breach we ramped up security considerably. At the time, CEO Max Ferguson stressed Lumin’s commitment to data security: "We are continually thinking about how to better protect our data, using techniques like encryption and role-based access control," he said.

"Our first move was to implement a multi-layered strategy where data is protected by many strong layers of security technology. Many of the targeted companies are doing the same."

Do Lumin users need to worry?

Most of our customers come to Lumin via Dropbox or Google, and require authentication from these services; this means they’re not vulnerable to username/password leaks. 

However, we also need to protect our username/password customers. One way we do this is simple: Lumin PDF editor does not store user passwords. This means it’s highly unlikely anyone could obtain your password from our systems. 

Lumin’s new security stance

Since 2019 we’ve worked hard to upgrade our systems and our current certifications reflect our commitment to a global standard of security.

Security enhancements we’ve implemented: 

  • Ory roll out: we’ve implemented the Ory zero-trust authentication system, a world-class cloud identity security platform.
  • Role-based access control: we’ve intensified authentication requirements and narrowed access controls to limit the risk of business customers suffering an internal breach.
  • SOC-2: we work with an independent auditor to maintain SOC-2 compliance.
  • Continuous system auditing: we get real-time analysis of security events via MongoDB and DataDog, which aggregate logs of audit events. These can be sent to a management tool that analyzes these events and identifies malicious activity.
  • Firewall protection: we've doubled down on firewall protection around all our servers and databases.
  • Link sharing policies: to help users avoid accidental document sharing, Lumin now requires users to individually confirm their sharing settings for each file. 
  • Salting passwords: the passwords leaked in the 2019 breach were salted and hashed, and we have not seen anything to suggest the salt was broken.

With these measures added on top of our original security measures – which, again, prevented sensitive data from being stolen completely – users can safely use Lumin’s web or mobile apps.

What caused the Lumin data breach?

Many of the 2019 cyber attacks occurred via a weakness in the MongoDB data storage platform. At the time MongoDB was running outdated instances, leaving some organizations – like Lumin – using the platform with unintentionally exposed servers.

"The Mongo databases most vulnerable to attacks are located on the AWS platform," said Victor Gevers, a GDI Foundation security researcher. "About 78% of all these hosts were running known vulnerable versions that are older DB instances." Another problem was lack of authentication when operating in shared mode. 

The pattern of attack was the same in nearly every case: hackers first copied user data, then deleted the original data from the targeted server. They then demanded payment in Bitcoin in exchange for returning the data to companies.

The data of over 800 million users across all hacked companies was held hostage in this way.

Many companies paid the ransom immediately and some received their data, as promised. Others did not. Once news of this spread, companies that had been newly attacked were less inclined to pay the ransom.

The data stolen from Lumin was non-sensitive user data: name and gender of users. The hackers were not able to delete our sensitive data. Knowing this, we made a choice not to cooperate with the hackers.

Was I affected by the Lumin data leak?

Anyone affected by the 2019 leak was contacted by us at the time. We’re aware of claims Lumin customer data is sold – either by us or by external parties – and can confirm this is untrue.

If your data is ever leaked from us, we will tell you.

Our priority is maintaining an extremely high level of security to ensure this isn’t something you ever need to worry about.

share this post