Discovered by cybersecurity firm Adversis, dozens of tech companies and corporate giants have been inadvertently leaking sensitive corporate and customer data because of misconfigured Box enterprise storage accounts,is reporting.
The security researchers found that even though files stored in Box enterprise accounts are private by default and can only be shared by generating private links for sharing files and folders with others, some of these ‘secret links’ can be discovered by others.
Adversis discovered over 90 companies with publicly accessible folders, including Apple, by using a script to scan for Box accounts with lists of company names and wildcard searches. Even Box’s own staff were found to be leaking sensitive data.
Apple, which has now reconfigured its enterprise accounts, had several folders exposed, containing what appeared to be non-sensitive internal data, such as logs and regional price lists.
Worse, some public folders were scraped and indexed by search engines, making the data found more easily.
Adversis said it found passport photos, bank account and Social Security numbers, passwords, employee lists, financial data like invoices and receipts, and customer data among the data found. The company contacted Box to warn of the larger exposures of sensitive data but noted that there was little overall improvement six months after its initial disclosure.
Adversis has already advised Box administrators to reconfigure the default access for shared links to “people in your company” to reduce accidental exposure of data to the public.