Compromised Box Accounts Exposes Corporate Data of Over 90 Companies

• Box accounts are compromised and sensitive data belonging to over 90 companies are exposed.
• The vulnerabilities don’t seem to be with the accounts themselves, but with a file sharing feature.
• Sensitive data like social security numbers, bank account details, customer data, device prototypes, and so on, are inadvertently accessible to the public.

Box, a premium cloud content management and file sharing service for businesses, has major security flaws. According to recent discoveries made by Adversis, a cybersecurity firm, corporate data of over 90 companies including Apple’s are left inadvertently accessible.

The security flaw isn’t with the accounts themselves, as Adversis explains. However, Box users have the option to send files and folders using sharable links. These links, on the other hand, can be easily discovered which makes the associated files accessible as well.

All Adversis had to do was use well-known domain and sub-domain names for companies with a box account, and then script a dictionary attack to identify valid links. This could easily hand you access to shareable links, that were otherwise meant to be private.

On top of that, many company employees, not aware of the potential threat might even share sensitive data using publically accessible links. This compounds the risk even further as the folders can now be scraped and indexed by search engines.

Adversis has already released a blog post, citing all the security vulnerabilities they discovered, along with measures to minimize the risk of data exposure. When they were going about their testing, the security firm found highly sensitive employee data being easily accessible.

This includes information like bank account numbers, social security numbers, high-profile prototype designs, financial data, passport photos, customer lists, IT data, and much more.

According to Adversis, they had reached out to Box regarding the potential flaw in their system way back in September and waited six months before they finally made the news public today.

Denis Ron, a Box spokesperson, has stated that the company is currently taking action to make mitigate the issue as much as possible.

A focus will be taken to make "sharing" instructions more clear so that files holding sensitive information aren't mistakenly shared publically. Also, more admin policies will be introduced along with advanced sharing control for the links.

So what’s your take on the current situation? Let us know in the comments below. And don’t forget to follow us on Facebook and Twitter to stay updated about the latest security breaches, so you can stay on top of the hackers.