Technology 2 min read

Misconfigured Box Accounts Cause Data Leaks for Apple & Others

Box is a popular solution for companies who need file sharing and cloud content management services. It's a fairly old company now (founded 2005), which makes the latest data leak due to improperly configured accounts a bit embarrassing. Especially when it involves high-profile companies...and the company (Box) itself.

Image via Box.com

Image via Box.com

Software as a Service (SaaS) providers are becoming more numerous by the month. Think of things like Salesforce. While Box functions a bit differently, it still contains a great deal of sensitive information.

Thanks to “improperly configured” accounts, many users’ data are now compromised.

Cybersecurity firm Adversis investigated the issue once discovered last year. As a result of their digging, they found out exactly why it happened, what was compromised, and how to fix the problem.

Adversis showed how easily they accessed some folders without even logging into a Box account. | Adversis

A Longstanding User Error Exposing Private Data

In total, more than 90 companies fell victim to this data leak. Essentially, if a company had not properly adjusted their folders, anyone could publicly access them. However, simple public access is just the tip of this inadvertent iceberg.

Adversis went on to say that search engines even indexed some of the public folders. That means that whatever data the folders held can now be found more easily by anyone searching for it.

The leaked data included some of the following types:

  • Passport photos
  • Social security numbers
  • Bank accounts
  • Employee lists
  • Financial data such as invoices or receipts
  • Passwords

Adversis notified Box once it discovered how compromised the sensitive data was. Due to the prolific nature of the leak, Box cannot deal with each case individually. What’s worse, this is not the first time Box has had this issue as you can see in the below tweet from 2018.

Ensure Your Protection by Using Box Appropriately

In addition to the folder access setting, vanity URLs created problems, as well. Anyone wishing to gain access could use dictionary attacks to guess the links of random characters in the URLs.

Though Box notified clients of the issue in September of 2018, the issue persists.

Thankfully, since Adversis is open source, you can read all about their process here. They outline the issue, how to fix it, and what steps they took to identify the leaks. If your company uses Box, you may want to follow their steps to protect your data.

They also take time to mention that this is a feature and not a bug or vulnerability. Despite this notation, only time will tell if Box escapes the revelation unscathed.

Read More: The Data Leak is Normal Now

Found this article interesting?

Let Juliet Childers know how much you appreciate this article by clicking the heart icon and by sharing this article on social media.


Profile Image

Juliet Childers

Content Specialist and EDGY OG with a (mostly) healthy obsession with video games. She covers Industry buzz including VR/AR, content marketing, cybersecurity, AI, and many more.

Comments (0)
Most Recent most recent
You
share Scroll to top

Link Copied Successfully

Sign in

Sign in to access your personalized homepage, follow authors and topics you love, and clap for stories that matter to you.

Sign in with Google Sign in with Facebook

By using our site you agree to our privacy policy.