Thousands of netizens inadvertently shared passwords and other highly private information with the rest of the planet – via Microsoft's publicly searchable Docs.com service.
Docs.com allows people to exchange documents between friends and colleagues, and the wider world, and can be searched for keywords. It sounds like a neat idea for passing around plans, presentations, and similar stuff. Microsoft describes the service thus:
Docs.com is an online showroom where you can collect and publish Word documents, Excel workbooks, PowerPoint and Office Mix presentations, OneNote notebooks, PDF files, Sway stories, and Minecraft worlds. With Docs.com, it’s easy for you to share with others what interests you, and your content looks great on any device.
Anything you publish with Public visibility will appear in worldwide search engine results and can be shared by you and others on social media sites. This option is a great way to get your work noticed. On the other hand, anything you publish with Limited visibility does not appear in search engine results and can be viewed only by people with whom a direct link to your content has been shared. Similarly, anything you publish with Organization visibility does not appear in search engine results and can be viewed only by those who sign in with a school or work account from your school or organization.
Unfortunately, a lot of files have ended up on there, with public visibility, that aren't meant to be seen. Over the weekend, security researchers started using the Docs.com search bar to investigate what could be found – looking up things like "password" and "confidential" – and the results were deeply worrying.
Loads of folks were accidentally exposing their data online, via Docs.com, from social security numbers and bank account details to password lists, medical records, and even a divorce settlement or two. Basically, it's a social engineer's wet dream.
Microsoft have a website called https://t.co/3TC07CB8gE where Office 365 customers can share anything in public. It has a search function.— Kevin Beaumont (@GossiTheDog) March 25, 2017
The problem was two-fold. First, thousands of people – from Office 365 subscribers to others with Microsoft single-sign-on accounts – weren't marking sensitive documents as non-public; and second, Microsoft helpfully included a search bar of publicly available documents.
As word spread over the weekend of the treasure trove of documents online, Microsoft temporarily shut down the search function, and alerted people who have overshared information.
"As part of our commitment to protect customers, we're taking steps to help those who may have inadvertently published documents with sensitive information," a spokesperson told The Reg. "Customers can review and update their settings by logging into their account at www.docs.com."
However, that's not the end of the issue. There are still pages cached that hold information in a viewable format if you use the right search engine queries. In the meantime, users are advised to check their security settings and to be more careful next time they share information online.
Our advice is: check to make sure you, or anyone in your organization, team or family, hasn't leaked anything in public via Docs.com. ®