Well, here are two paths through which a user can accidentally leak the URL to a folder on Box or Dropbox. The obvious question then follows: How are Google Ad campaigns receiving these private and highly sensitive URLs, and opening the possibility for unauthorised parties to access confidential data? We also found evidence that many people are mingling their personal and professional files, potentially presenting privacy and security concerns for organisations. In one case, corporate information including a business plan was uncovered. This amounted to over 300 documents from a small campaign, including several tax returns, a mortgage application, bank information and personal photos. In one short and entirely innocently designed ad campaign alone, we found that about 5 per cent of hits represented full links to shared files, half of which required no password to download. Richard Anstey, Intralinks’s CTO for the EMEA region provided some insight into the scale of the problem: (The image has been redacted below to preserve the individual’s anonymity.)Īnd here is another individual’s mortgage application: No-one is saying that this is a bad thing – the sites concerned aren’t pretending to be something they’re not, and it’s just a healthy competitive marketplace at work, informing you of your choices as a consumer.īut, when Intralinks looked at the data from Google Adwords campaigns that mentioned its competitors Box.com and Dropbox, they found something which shocked them: the fully clickable URLs required to access documents stored on the services, including some containing clearly sensitive information.įor example, here is one person’s income tax return scooped up from Dropbox. Similarly, if you Google “Intralinks file sharing” you’ll see ads for Dropbox and others. It’s the reason why if you Google a phrase like “dropbox secure file sharing” you’ll see ads and links not just for Dropbox, but for competitors too. Users in the Reddit thread allegedly confirmed the credentials in the spreadsheet worked at time of writing on multiple accounts listed, however it’s not clear where these credentials actually came from nor how many users were affected.Lots of companies do this. To see plenty more, just search on for the term Dropbox hack. Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts In four Pastebin files linked to from the site, a few hundred username and password pairs were listed in plain text as “teases” for a full leak from an anonymous user, who asked for Bitcoin donations for continued leaks.Ī message annotated at the top of the leaks said: A thread surfaced on Reddit today that contained links to files containing hundreds of usernames and passwords for Dropbox accounts in plain text, but it’s unclear where they were obtained from.
0 kommentar(er)
