Compromised Box Accounts Exposes corporate data from more than 90 companies ByNitish Singh-March 11, 2019.149 Figure 1 Photo Courtesy of Box.com Box Accounts is compromised and sensitive data from more than 90 companies is revealed. The flaws do not seem to be with the accounts themselves but with a file sharing feature. Inadvertently accessible to the public are sensitive data such as social security numbers bank account details of customer data system prototypes, and so on. As versis states, the security flaw isn’t with the accounts themselves. Box users however have the option of sending files and folders using sharable links. On the other hand it is easy to discover these connections which also makes the associated files available. Both verses had to be used for companies with a box account using well-known domain and subdomain names and then scripted a dictionary attack to establish relevant connections. This could easily hand you access shared connections, otherwise intended to be private. In addition, several company employees who are unaware of the potential threat could even exchange sensitive data using links that are publicly available. This further increases the danger, since search engines can now scrap and index the files. Versis has already published a blog post listing all the vulnerabilities they have found along with steps to minimize the risk of exposure to data. The security firm found highly sensitive employee data easy to access when they were going through their research. This includes information such as bank account numbers high-profile project social security numbers designs customer lists of financial data passport photos It records, and much more. Denis Ron, a spokesman for the Box, said the company is currently taking action to reduce the problem. A focus will be put on making the instructions for “sharing” clearer so that files holding sensitive information are not mistakenly shared publicly. It will also add more admin policies along with advanced sharing control for the ties. Keep posted on the latest security threats so that you can stay on top of the hackers.