Microsoft Office 365 users have been warned to check their privacy settings after it emerged some files uploaded to the company’s document-sharing platform were publicly accessible.
File-sharing service docs.com is part of the firm’s Office 365 cloud platform and enables users to upload and share files with anyone they wish.
However, it has now been discovered – initially by Buzzfeed – that the site stores files publicly by default, resulting in some users unintentionally sharing sensitive information, including passwords and health data, to the database which can also be publicly searched by anyone.
National insurance documents, pension forms and lists of passwords were found among search results, which can be accessed without a log-in.
Cyber security experts have now warned it serves as the latest example of web-users not fully understanding where files can go when they are uploaded.
Security specialist Mark James from ESET said: “One of the problems with words like ‘Cloud’ is people’s perception of exactly what it means.
“We need to understand that ultimately, you’re just storing your information on someone else’s computer.
“Companies have an obligation to protect our privacy and in most cases, they can always do better, but usually the final decision of where we store our data is ours and one that we should review regularly.”
Cloud computing services work by housing data on remote servers rather than in one place, with users then able to log in and access their files on any device.
Microsoft confirmed it was aware of the problem and was working with any users who may have been affected.
“Docs.com lets customers showcase and share their documents with the world,” a company spokesman said.
“As part of our commitment to protect customers, we’re taking steps to help those who may have inadvertently published documents with sensitive information. Customers can review and update their settings by logging into their account at www.docs.com.”
When uploading files to docs.com, users are shown a message that warns them that by default their files are “public on the web”, however some have criticised the inclusion of a “do not show me this message again” option in the window, which stops any future reminders when uploading more files.
Javvad Malik, from security firm AlienVault, criticised Microsoft for not making it clearer to consumers how data was being stored.
“It highlights the need for cloud service providers to be clear in communicating how users’ data is used, shared, and stored, but also the need for users of services to be wary of the risks that come with such activities,” he said.