Security researchers have discovered terabytes of data from over 90 companies exposed by employees sharing publicly available links to Box Inc.’s cloud storage platform.

In an issue detailed today by cybersecurity firm Adversis LLC, the data and documents had all been uploaded to Box Enterprise accounts then shared via links by employees, making them publicly viewable by anyone who has the shared URL. Using shared URLs as their starting point, the security researchers where then could brute-force the links to uncover other links that were also publicly available.

“After identifying thousands of Box customer sub-domains through standard intelligence gathering techniques and using a relatively large wordlist, we discovered hundreds of thousands of documents and terabytes of data exposed across hundreds of customers,” the researchers said.

Data discovered included passport photos, social security and bank account numbers, high-profile technology prototype and design files, employees lists, financial data, invoices, internal issue trackers, customer lists and archives of years of internal meetings, and IT data, VPN configurations and network diagrams.

The researchers noted that the situation is different from the common cases of Amazon Web Services Inc.’s S3 storage instances being exposed. “On one hand this issue is worse than the S3 bucket issue because finding a company’s Box account is fairly easy, unlike with S3 bucket names which can be long and difficult to guess,” the researchers explained. “On the other hand, employees seem much less likely to store full databases in Box.”

Emphasizing the risk of exposure, in some cases the researchers found that the shared Box links had be indexed by search engines.

According to TechCrunch, some of the companies with exposed data on Box included Apple Inc., the Discovery Inc., Herbalife Nutrition Ltd., Schneider Electric SE and even Box itself.

Adversis informed Box of its discovery Sept. 24. Box responded with public service announcement about securing files Sept. 28. Adversis added that it had published the details only now to allow companies to secure their documents and data.

The potential with Box accounts to expose data to the public still remains, however. Box recommends that administrators configure shared link default access to “people in your company” to reduce accidental creation of public links by users and that users do not create public custom shared links to content that is not intended for public consumption.

Photo: Pxhere