TL;DR

ADT reported a data breach on April 24, 2026, after discovering unauthorized access to cloud-based systems. The same week, BePrime suffered a breach exposing 12.6GB of data from 1,858 network devices. Both incidents involved data stored in cloud systems the victims believed were secure. Convert: Anything to PDF converts your files entirely in your browser—no upload, no server, no cloud exposure. Free, no account required.

What Happened: ADT and BePrime in April 2026

The ADT Incident

ADT, the home and business security company, submitted a Form 8-K to the U.S. Securities and Exchange Commission on April 24, 2026, disclosing that it had discovered unauthorized access to specific cloud-based systems on April 20, 2026. The filing noted the company was investigating the nature and scope of the incident.

ADT had previously experienced notable breaches: a 2024 incident involving customer account data, and a 2023 incident affecting a limited customer email database. The pattern is consistent: cloud-stored data is repeatedly the target.

The BePrime Incident

On April 20, 2026, a cybercriminal posted BePrime's data on a breach forum after exploiting admin accounts that lacked multi-factor authentication. The attacker gained control of:

  • 1,858 network devices
  • Over 2,600 connected devices
  • 12.6 GB of data including credentials in plaintext, transaction records, and security audit reports
  • Live surveillance camera access for clients including Iberdrola, Whirlpool, and Alsea

BePrime is a network management platform—its clients trusted it with connectivity infrastructure. The breach demonstrated that even security-adjacent companies can have critical gaps.

The Common Thread

Both incidents share the same fundamental characteristic: data stored in cloud infrastructure is data exposed to potential breach. The question is not whether a cloud system will be compromised—it's which one, when, and what data is affected.

How This Applies to PDF Conversion Tools

Online PDF converters are cloud services. When you upload a file to SmallPDF, ILovePDF, PDFCrowd, Sejda, Adobe Acrobat online, or any comparable service, your document is processed on that service's cloud infrastructure.

That infrastructure is:

Connected to the internet — by definition, since it's a web service

Shared with other customers — multi-tenant cloud infrastructure, where your files may reside on the same servers as other users' files

Dependent on multiple third parties — cloud storage providers, CDN providers, conversion libraries, logging services, each of which is a potential attack surface

Subject to breach scenarios — the same vulnerabilities that affected ADT, BePrime, Vercel, and thousands of other cloud services apply

What Files Do You Upload to PDF Converters?

Think about the documents you've converted to PDF in the past year:

  • Tax returns or financial statements (to send to your accountant or mortgage lender)
  • Employment contracts or offer letters
  • Medical records or insurance documents
  • Legal agreements or NDA templates
  • Business financial reports (revenue, cost structure, forecasts)
  • HR documentation (performance reviews, salary information)
  • Client contracts or vendor agreements

These are the files that cloud breaches expose. A PDF conversion service holding your uploaded tax return or employment contract is a security risk that most users never consciously evaluate.

The "We Delete Files Within 1 Hour" Claim

Most online PDF services prominently advertise that uploaded files are automatically deleted—typically within 1 hour. Some offer a "delete immediately" button. These claims deserve scrutiny:

CDN caching. Files delivered via content delivery networks may persist in edge caches beyond the deletion window. CDN cache invalidation is a separate operation from primary storage deletion.

Backup systems. Cloud infrastructure routinely maintains backups for disaster recovery. A file that's "deleted" from primary storage may persist in backups for days, weeks, or months.

Third-party logging. Analytics, telemetry, and logging services that record upload events may retain file metadata (filename, file size, content hashes) even after the file itself is deleted.

Breach windows. A breach doesn't require files to be retained—it requires that the breach happen while files are present. If your document is on a server for 45 minutes, that's a 45-minute window.

None of this means online converters are inherently malicious. It means that "we delete files after an hour" doesn't eliminate risk—it bounds the exposure window.

Local Conversion: How It Works and Why It's Different

Convert: Anything to PDF uses a fundamentally different architecture:

  1. You open the extension in Chrome
  2. You drag a file (or click to select it) from your local filesystem
  3. The extension processes the file using browser-native APIs and locally-executed code
  4. The PDF is generated and saved to your Downloads folder

No network requests are made during conversion. The file never leaves your machine. There is no server to breach, no cloud infrastructure to attack, no third-party CDN to cache your document.

The extension is a piece of software that runs in Chrome's sandbox—the same environment that handles your banking website and encrypted communications. It's not a server-side service operating somewhere you can't see.

What File Types Can Be Converted Locally

  • Microsoft Word (.docx, .doc) — Including complex formatting, tables, and embedded images
  • Microsoft Excel (.xlsx, .xls) — Spreadsheets with multiple sheets, charts, and formulas
  • Microsoft PowerPoint (.pptx, .ppt) — Presentations with graphics, layouts, and transitions rendered as slides
  • Images (.jpg, .png, .gif, .bmp, .tiff, .webp) — Multiple images can be combined into a single PDF
  • Plain text (.txt) — Simple text files formatted as readable PDFs
  • HTML files — Local HTML files rendered as PDFs
  • CSV files — Tabular data formatted as PDF tables

Cloud Services You Can Trust vs. Can't Trust for Sensitive Files

Not all cloud services carry equal risk for sensitive documents. A useful mental model:

Higher risk (don't upload sensitive documents here):

  • Online PDF converters with no enterprise security program
  • Free consumer tools with unclear business models
  • Services that don't publish detailed terms about data handling
  • Tools that don't offer explicit data processing agreements

Lower risk (designed for sensitive documents):

  • Enterprise document management systems (Microsoft SharePoint, Google Workspace) with organizational admin controls, audit logging, and enterprise SLAs
  • Industry-specific platforms with regulatory compliance (HIPAA-covered health information platforms, legal matter management systems)
  • Tools your organization has vetted through a security review

Zero risk (no upload, no server):

  • Local desktop software (Adobe Acrobat on your machine, not the cloud service)
  • Browser extensions with local processing
  • Operating system native tools (macOS Print to PDF, Windows 11 PDF printer)

For sensitive documents, default to the zero-upload tier.

Building a Secure Document Conversion Workflow

Audit your current tools. List the tools you use to convert, process, or edit documents. For each, note whether they require an upload and whether you've reviewed their security practices.

Segment by sensitivity. Not all documents need the same protection. A recipe, a news article, or a public report can go through any online tool. Financial statements, legal contracts, and medical records should never leave your machine during processing.

Install local alternatives. Convert: Anything to PDF for files and Convert: Web to PDF for web pages cover the most common PDF creation needs without any upload.

Train your team. For small businesses and teams, a one-time conversation about which tool to use for sensitive documents is enough. "For confidential files, use the browser extension—not the online tool."

Enterprise Context: Cloud PDF Tools at Scale

For large organizations, the risk calculus is different—both higher stakes and more infrastructure for mitigation.

A 5,000-person company that processes thousands of documents through an online PDF converter is a more attractive target than an individual. And the aggregate exposure—thousands of employee contracts, client agreements, financial reports—is more valuable to a threat actor.

Enterprise PDF software (Adobe Acrobat Enterprise, Nitro PDF Enterprise, Foxit PDF Enterprise) includes security controls that consumer online tools don't:

  • Data processing agreements with explicit security SLAs
  • Encryption in transit and at rest
  • Audit logging of document access
  • Integration with enterprise identity management (SSO, MFA)
  • Deployment options that don't require files to leave the corporate network

For enterprise use, these are worth evaluating. For individual users and small teams, the overhead isn't justified—local conversion tools are more than sufficient.

Frequently Asked Questions

Q: Is my current antivirus or EDR sufficient protection when using online PDF tools?

Antivirus and endpoint detection protect your machine from malicious files or processes. They don't protect data you've uploaded to a third-party server from being breached on that server. The two threat models are different—local security and remote server security are separate concerns.

Q: What about using a VPN when uploading to PDF converters?

A VPN encrypts traffic between your device and the VPN endpoint. It doesn't encrypt traffic between the PDF service's servers and a potential attacker. The data breach risk is at the service's infrastructure, not in transit.

Q: If I need to convert a very large file that exceeds what a browser extension can handle, what's my option?

For genuinely large files (hundreds of MB), desktop software (LibreOffice, which is free and open-source, or Adobe Acrobat on your local machine) handles them without a network upload. Install it locally rather than using the cloud service version.

Q: What should I do if I realize I've previously uploaded sensitive documents to an online PDF tool?

There's no retroactive remedy for files already processed. Going forward, use local tools for sensitive material. If you uploaded something particularly sensitive, consider whether the service's data retention policies mean it's likely already been deleted. Most incidents involve opportunistic attackers rather than targeted document theft.

Q: Does ADT's breach affect residential security customers?

ADT's April 24, 2026 disclosure described unauthorized access to "specific cloud-based systems." The nature of what data was affected hadn't been fully disclosed as of the filing date. Customers with ADT accounts should monitor for follow-up notifications.

The Bottom Line

April 2026 brought two more reminders that cloud infrastructure is a persistent target: ADT's unauthorized system access and BePrime's 12.6GB breach. Neither company's cloud security was obviously negligent—they were simply operating in an environment where breaches happen.

The practical response for document security: stop uploading sensitive files to cloud services when local alternatives exist.

Convert: Anything to PDF converts Word, Excel, images, and other files to PDF without leaving your machine. Free, no account, no upload window for attackers to exploit.

For web pages, Convert: Web to PDF does the same—locally, cleanly, free.