Nitro, a document productivity and PDF software company, suffered a data breach in September 2020 that exposed records tied to over 77 million user accounts. The breach stemmed from a misconfiguration and affected databases linked to Nitro's free online services. Nitro stated that its desktop software, Nitro Pro, and its analytics product were not involved. The exposed data included email addresses, names, bcrypt password hashes, and the titles of documents users had converted through the platform. The inclusion of document titles is an unusual detail. Those titles can reveal the nature of sensitive business, legal, or personal files, giving attackers context that goes beyond standard credential theft. Bcrypt hashing offers some protection for passwords, but the combination of email addresses, names, and document metadata still creates meaningful risk for affected users and their organizations. No widely reported regulatory actions or enforcement proceedings stemmed from the breach. The data was later shared with the breach notification service Have I Been Pwned through dehashed.com. Affected users should treat their Nitro account credentials as compromised, change any reused passwords, and stay alert to phishing attempts that may reference document-related activity, as attackers could use the exposed metadata to craft convincing, targeted messages.

Document productivity platforms collect user accounts, emails, document metadata, billing records, and collaboration activity tied to PDF creation, editing, signing, and workflow automation.

Nitro remains an active document-workflow software company and has recently emphasized AI, enterprise workflows, and channel expansion. Its recent public announcements highlight the Nitro Sign API, Smart Redact for regulated industries, a Canva partnership, expanded distribution in Europe, and multiple 2025 to 2026 product releases focused on automation and document workflow modernization.