We have discovered dozens of Box.com corporate repositories that reveal data from Apple, Herbalife, etc.

Adversis researchers found dozens of corporate accounts on the Box.com file storage cloud service, which contained freely accessible sensitive corporate information and personal customer data.

In total, more than 90 companies were found that had on the Box service freely available files with passport scans, social security numbers (SSN), bank account numbers, passwords, lists of employees, etc.

For the search, a special script was used (link at the bottom of the article), sorting out accounts on the Box, using an English dictionary of words and a set of templates.

The URL for shared files on the Box is:

https: //.app.box.com/v/ <file / folder>

First, the dictionary selects the name of the company, then selects the name of the file or folder.

In much the same way (brute force), Amazon’s open cloud storage is discovered, I wrote a separate note about it. It is only worth noting that, unlike cases when entire repositories (buckets) are left open on AWS, incorrectly setting access rights to them, in the case of Box, the files found were deliberately shared for exchange and the absence of unauthorized access to them was guaranteed outsiders find out the URL (classics of the genre - security through obscurity).

Some companies in whose Box accounts data was found:

• Apple - regional price lists for products and some logs.
• Amadeus ticket booking system - documents and files related to Singapore Airlines.
• Discovery Channel - a database with millions of customer names and email addresses, as well as contracts and tax documents.
• The American PR-company Edelman - resume with personal data of candidates for positions.
• Herbalife - spreadsheet files with names, phone numbers and email addresses of customers (about 100 thousand in total).
• Schneider Electric - project documentation containing, among other things, passwords for access to equipment.
• Actually, Box itself is a non-disclosure agreement with customers.

» Script for busting
» Dictionary
» A list (about 3 thousand) of some accounts on the Box

News about information leaks and insiders can always be found on my Information Leaks Telegram channel.