TechAdvisory.org

Technology Advice for Small Businesses

Did Microsoft commit a security breach?

2017April11Office_AIn case you didn’t know, Microsoft provides Office 365 users with a free document-sharing platform called docs.com. It’s a great new tool for publishing files intended for public viewing. The downside is, sensitive documents are published without the file owners’ permission. These include hundreds of users who might be unaware that their private files can be viewed by the public.

What’s the damage?

Usernames and passwords for various devices and applications; personal information such as home and email addresses, bank account details, social security numbers, and phone numbers; and medical info comprising patient treatment data and health insurance numbers — all these were some of the supposedly leaked documents, which were clearly meant to be private. A security researcher discovered that these sensitive files were accessible using docs.com’s search function.

After being alerted to the ‘leak,’ Microsoft responded by removing the search bar. However, most of the documents were already indexed by search engines, Google and Bing, which is how these docs remained available to the public despite disabling the search function.

Recent updates

To alleviate the damage, Microsoft launched an update that limited what users can do to uploaded files, such as restricting files to a read-only status. Although buttons to ‘like,’ download, add to collections, and share in social media are enabled, only users who enter an email address, phone number, or sign in using their Office or Microsoft account can perform any of these functions. Since anyone can easily create a Microsoft account, docs.com users may not feel at ease.

Microsoft’s final word

Docs.com is easy-to-use and is valuable to those eager to publish their documents. The site’s user-friendliness also makes it a popular choice for Office 365 users who wish to ‘spread their work to the world.’ Office 365 users can easily upload from their own computer, OneDrive, or Sway account, and share away. Being a free service also adds a lot of incentive for users to upload their Word, Excel, or any other file onto the site.

In an effort to solve glaring privacy issues, Microsoft has issued some key updates, such as a warning message reminding users that the document to be uploaded will be publicly available on the web. While it may seem like Microsoft committed a blunder, a stricter privacy setting and a few stronger, more visible warnings to users can help make docs.com a useful productivity tool rather than a hacker’s hunting ground.

Discerning Office 365 users can make the most out of docs.com, but they should use the service with caution. If you’ve uploaded documents with sensitive information on docs.com, now is the best time to remove them from the site, or review your privacy settings here and in other document-sharing services.

If you’re not sure how to proceed, or want to learn more about this and other Microsoft products and services, call us now for advice.