When was the last time you checked who has access to your online files and folders: Google Drive, Apple Cloud, Dropbox, Microsoft OneDrive and other sharing tools? Do you have a lot of files and folders set to “Anyone with the link”? If so, I strongly encourage you to restrict access as much as possible. It’s a security flaw we tend to overlook…
Here’s a scenario that illustrates the danger of these links to your folders and files set to “Anyone with the link”
Around 2015, there were a lot of data breaches at major companies (DropBox, Adobe, MySpace, Skype). These companies’ databases, including subscribers’ usernames, email addresses and passwords, were made public on hacker forums. Take the example of an artist, a DJ, whose fans try every possible means to find songs that were never released to the public. These fans search through those databases and find the DJ’s credentials for their Skype and MySpace accounts. On Skype, by digging through the chat, they find several links leading to folders and files on Google Drive, sent by production companies. While browsing those folders, the fans come across music recordings that have never been released — what they were looking for — but also come across personal information about several well-known artists (passport, driver’s licence, mailing address, date of birth, etc.). To prevent other fans from accessing their favourite artists’ accounts, they contact the artists and production companies to invite them to change their Skype password (yes, it’s a bit twisted). But just before doing so, they make sure to change the access to the shared folders from “Restricted” to “Anyone with the link,” which lets them come back whenever they please into the production companies’ folders and gain access to new songs before they’re made public! This practice is the same as finding the key to a building in the door handle, making a copy of it, then handing the key back to its owner and coming across as the good Samaritan! To hear the true story behind this, I invite you to listen to the Dubsnatch episode of DarknetDiaries: https://darknetdiaries.com/episode/148/
What to do
- Log in to your accounts and restrict access to your folders and files: Google Drive, Microsoft OneDrive, Apple Cloud, DropBox, Adobe, etc.
- Never leave confidential information about yourself or others on file-sharing applications: driver’s licence, passport, mailing address, phone number, date of birth, etc. And no strategic information about your organization.
- Close the accounts you no longer use. Most companies have added a “Delete my account” button somewhere in the settings. Otherwise, you can write to them and request it. Under the law, you have the right to close your accounts.
If you have any questions, feel free to contact us at support@zaa.cc