Incorrectly configured accounts in the cloud Box.com caused the leakage of confidential data and business documents dozens of major companies, including Amadeus, Apple, Herbalife, Schneider Electric, the Discovery channel and even the Box.
According to experts from information security company Adversis that detected the leak, the problem is that the account owners Box Enterprise did not put in the settings, share links to files/folders option “People in your company”, as a result, all new links that are supposed to be hidden, were in the public domain. With the help of a special script, the researchers identified more than 90 companies with public folders. Tool published on GitHub.
Folders contain a variety of information, including passport photos, social security numbers, passwords, VPN settings, lists of employees, financial information (invoices, receipts, account numbers, etc.), a database with names and email addresses of millions of customers, contracts, information on proprietary technology and other internal documentation. For example, Schneider Electric folder contained dozens of customer orders, and instructions for installing the system, including default password and “backdoors” in case customers forgot their passwords.
Experts have informed the affected companies about the data breach. Amadeus, Apple, Box, Discovery, Herbalife, Edelman and PointCare already changed the settings in their corporate accounts. Owners of accounts in the service Box.com it is strongly recommended to check the configuration of accounts and to conduct analysis on the subject publicly available references.
Read more •••