​Microsoft pulls then revives Docs.com search after complaints of exposed sensitive files

Security experts pointed to numerous sensitive and personal files found on Microsoft's document sharing site, which lets users share documents publicly by default.

msft-hero.jpg

(Image: file photo)

Microsoft has quietly removed a feature on its document sharing site Docs.com that allowed anyone to search through millions of files for sensitive and personal information.

Users had complained over the weekend on Twitter that anyone could use the site's search box to trawl through publicly-accessible documents and files stored on the site, which were clearly meant to remain private.

Among the files reviewed by ZDNet, and seen by others who tweeted about them, included password lists, job acceptance letters, investment portfolios, divorce settlement agreements, and credit card statements -- some of which contained Social Security and driving license numbers, dates of birth, phone numbers, and email and postal addresses.

The company removed the site's search feature late on Saturday, but others observed that the files were still cached in Google's search results, as well as Microsoft's own search engine, Bing.

We're not publishing or linking to any of the documents or files.

We left a voicemail with one of the people whose phone number was listed in a document they purportedly published, but did not hear back at the time of writing.

In an age of data breaches, leaks, and exposures, this incident falls within a unique set of parameters.

It's clear that Microsoft hasn't suffered a data breach, though its users have inadvertently had their data exposed. Who's to blame depends on how you look at it. All of the documents would have been uploaded by their owners, but they may not have realized that each document could be made public, which is Docs.com's default uploading setting, compared to files created or edited with Word and Excel Online, which are private until set otherwise.

But Microsoft's effort to pull the search feature for now shows there's some responsibility on the software giant's part.

A Microsoft spokesperson said the company was "taking steps to help those who may have inadvertently published documents with sensitive information," and advised users to review and update their settings by logging into their account.

On Sunday, the search feature was added back, and is still exposing personal information., but Microsoft hasn't explained why it reintroduced the feature again.

When reached, a Microsoft spokesperson on Monday declined to comment further.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All