Security experts pointed to numerous sensitive and personal files found on Microsoft’s document sharing site, which lets users share documents publicly by default.
Microsoft has quietly removed a feature on its document sharing site Docs.com that allowed anyone to search through millions of files for sensitive and personal information.
Users had complained over the weekend on Twitter that anyone could use the site’s search box to trawl through publicly-accessible documents and files stored on the site, which were clearly meant to remain private.
Among the files reviewed by ZDNet, and seen by others who tweeted about them, included password lists, job acceptance letters, investment portfolios, divorce settlement agreements, and credit card statements — some of which contained Social Security and driving license numbers, dates of birth, phone numbers, and email and postal addresses.
The company removed of the site’s search feature late on Saturday, but others observed that the files were still cached in Google’s search results, as well as Microsoft’s own search engine, Bing.
We’re not publishing or linking to any of the documents or files.
We left a voicemail with one of the people whose phone number was listed a document they purportedly published, but did not hear back at the time of writing.
In an age of data breaches, leaks, and exposures, this incident falls within a unique set of parameters.
It’s clear that Microsoft hasn’t suffered a data breach, though its users have inadvertently had their data exposed. Who’s to blame depends on how you look at it. All of the documents would have been uploaded by the owner, but may not have realized that each document could be made public, which is Docs.com’s default uploading setting, say compared to files created or edited with Word and Excel Online, which are private until set otherwise.
But by Microsoft’s effort to pull the search feature for now shows there’s some responsibility on the software giant’s part.
A Microsoft spokesperson said the company was “taking steps to help those who may have inadvertently published documents with sensitive information,” and advised users to review and update their settings by logging into their account.