Tens of thousands of user documents, including passports, driving licenses, certificates, and other personal information uploaded by users, have been leaked by two online PDF makers
Everyone has been there: incredibly hurried, battling to quickly create a PDF and submit a form. Many have gone to online PDF producers for help, and many have had their requests replied.
However, if you’ve ever wondered why those services are free, the answer is that not everyone places a high value on protecting user data. Over 89,000 documents were leaked by two online PDF creators, PDF Pro and Help PDF, according to the Cybernews investigation team.
What’s more regrettable, various endeavors to contact specialist organizations went totally inconspicuous, with an uncovered Amazon S3 bucket completely open for anybody to take at the hour of distributing. Additionally, users continue to upload documents without realizing that their information is being leaked onto the internet.
We have also attempted to obtain an official statement from service providers, but we have not yet received a response.
Risks to one’s security
PDF Pro (pdf-pro.io) and Help PDF (www.help-pdf.com) both appear to be run by the same legal entity with headquarters in the UK and share the same design. Tools for editing, compressing, and converting PDFs are available to users, as is the option to sign the documents.
As per the team, the exposed case contains archives transferred by clients. At the time of writing, there were 89,062 exposed files, with 1,244 uploaded via Help PDF and 87,818 uploaded via PDF Pro.
The files contain private information that not many people would want to share online. The open bucket contains:
- Passports
- Driving licenses
- Declarations
- Contracts
- Different records and data
“With access to individual records, crooks can participate in different false exercises, for example, applying for credits, leasing properties, or buying costly things utilizing the victim’s identity,” specialists said.
The documents that were leaked can be used by attackers to open bank accounts, apply for credit cards, and carry out other financial transactions in the victim’s name.
Threat actors can also alter or forge documents like licenses or contracts to create fictitious identities, fabricate qualifications, or manipulate legal agreements to their advantage, which could result in the victim facing legal issues.
The team offers a few suggestions for reducing the leak and preventing similar incidents in the future:
- Quickly limit public access to the bucket
- Change the bucket strategy and access control records (ACLs) to just confine admittance to approved clients or applications
- Guarantee that all articles in the bucket are set to private or have suitable access controls configured
- Enable server-side encryption on the bucket to safeguard information at rest. Based on their needs, administrators can choose between SSE-S3, SSE-KMS, or SSE-C.