Bad Box configurations lead to leaks of sensitive corporate data

Box allows users to easily share files that are vulnerable to brute-force attacks, cybersecurity company Adversis said.

Dozens of organizations left terabytes of data exposed online through web links to files hosted on data-sharing platform Box, according to research published Monday.

The exposed data, which spanned hundreds of thousands of documents, included Social Security and bank account numbers; hundreds of passport photos; files of technology prototypes; VPN configurations; and financial data and invoices, according to Adversis, a vulnerability assessment company.

Box allows users to easily share files that, if not properly secured, are vulnerable to brute-force attacks, the research shows. After locating the sub-domains of various corporate Box accounts, Adversis researchers began brute-forcing files and folders, “returning results faster than we could review them.”

TechCrunch was first to report on the data leak.


As the researchers pointed out, their findings have parallels with security problems in another popular data storage service – Amazon Web Services S3 “buckets” – which are routinely exposed online. The Box issue is worse in that it is pretty easy to find a company’s Box account, but not as bad in the sense that an organization’s employees are less likely to load full databases into Box, Adversis said.

“If your company uses Box, there is a good chance you are leaking sensitive data already and you may want to finish reading this after you disable public file sharing,” Adversis wrote in a blog post.

The company said it had planned to contact all the affected organizations, but “quickly realized that was impossible at this scale.” Aside from Box, the researchers ultimately only communicated with a “small minority” of the affected vendors and companies, including those with the most sensitive data exposed. Most organizations that were contacted swiftly mitigated the issue, Adversis said.

Box has updated its file-sharing guidance, advising people to set default access to share files only with internal company users.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts