Dozens of companies leaked sensitive data thanks to misconfigured Box accounts

[InfoSec News <alerts () infosecnews org>]

https://techcrunch.com/2019/03/11/data-leak-box-accounts/

By Zack Whittaker
TechCrunch
March 11, 2019

Security researchers have found dozens of companies inadvertently leaking
sensitive corporate and customer data because staff are sharing public links to
files in their Box enterprise storage accounts that can easily be discovered.

The discoveries were made by Adversis, a cybersecurity firm, which found major
tech companies and corporate giants had left data inadvertently exposed.
Although data stored in Box enterprise accounts is private by default, users can
share files and folders with anyone, making data publicly accessible with a
single link. But Adversis said these secret links can be discovered by others.
Using a script to scan for and enumerate Box accounts with lists of company
names and wildcard searches, Adversis found more than 90 companies with publicly
accessible folders.

Not even Box's own staff were immune from leaking data.

The company said while much of the data is legitimately public and Box advises
users how to minimize risks, many employees may not know the sensitive data they
share can be found by others.

Worse, some public folders were scraped and indexed by search engines, making
the data found more easily.

[...]



--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_