[BreachExchange] FYI Docs.com users: You may have leaked passwords, personal info – thousands have

Audrey McNeil audrey at riskbasedsecurity.com
Tue Mar 28 18:57:20 EDT 2017


https://www.theregister.co.uk/2017/03/27/microsoft_docs_com_office_365_leak/

Thousands of netizens inadvertently shared passwords and other highly
private information with the rest of the planet – via Microsoft's publicly
searchable Docs.com service.

Docs.com allows people to exchange documents between friends and
colleagues, and the wider world, and can be searched for keywords. It
sounds like a neat idea for passing around plans, presentations, and
similar stuff. Microsoft describes the service thus:

"Docs.com is an online showroom where you can collect and publish Word
documents, Excel workbooks, PowerPoint and Office Mix presentations,
OneNote notebooks, PDF files, Sway stories, and Minecraft worlds. With
Docs.com, it’s easy for you to share with others what interests you, and
your content looks great on any device.

"Anything you publish with Public visibility will appear in worldwide
search engine results and can be shared by you and others on social media
sites. This option is a great way to get your work noticed. On the other
hand, anything you publish with Limited visibility does not appear in
search engine results and can be viewed only by people with whom a direct
link to your content has been shared. Similarly, anything you publish with
Organization visibility does not appear in search engine results and can be
viewed only by those who sign in with a school or work account from your
school or organization."

Unfortunately, a lot of files have ended up on there, with public
visibility, that aren't meant to be seen. Over the weekend, security
researchers started using the Docs.com search bar to investigate what could
be found – looking up things like "password" and "confidential" – and the
results were deeply worrying.

Loads of folks were accidentally exposing their data online, via Docs.com,
from social security numbers and bank account details to password lists,
medical records, and even a divorce settlement or two. Basically, it's a
social engineer's wet dream.

Microsoft have a website called https://t.co/3TC07CB8gE where Office 365
customers can share anything in public. It has a search function.

— Kevin Beaumont (@GossiTheDog) March 25, 2017

pic.twitter.com/M2hewYNrCC

— Kevin Beaumont (@GossiTheDog) March 25, 2017

The problem was two-fold. First, thousands weren't marking sensitive
documents as non-public; and second, Microsoft helpfully included a search
bar of publicly available documents.

As word spread over the weekend of the treasure trove of documents online,
Microsoft temporarily shut down the search function, and alerted people who
have overshared information.

"As part of our commitment to protect customers, we're taking steps to help
those who may have inadvertently published documents with sensitive
information," a spokesperson told The Reg. "Customers can review and update
their settings by logging into their account at www.docs.com."

However, that's not the end of the issue. There are still pages cached that
hold information in a viewable format if you use the right search engine
queries. In the meantime, users are advised to check their security
settings and to be more careful next time they share information online.

Our advice is: check to make sure you, or anyone in your organization, team
or family, hasn't leaked anything in public via Docs.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170328/34b96ccd/attachment.html>


More information about the BreachExchange mailing list