The Trojan Horse Effect: How We Found Highly Sensitive Business Documents in Dropbox Accounts

For the third year in a row, we uncovered sensitive files stored on consumer file sharing services in our routine Google AdWords campaign.


26 May 2016

File sync and share vulnerability

For the last three years, we’ve conducted a routine Google AdWords campaign focused on consumer file sharing applications like Dropbox and Box. Each year, we inadvertently uncover live links to active accounts that give us direct access to files stored on these services. These files have included tax returns, healthcare records, business account information and a depressing trove of X-rated content.

This year, we again unearthed highly sensitive documents, including medical lab results and business plans. For many businesses, it’s a Trojan horse effect: employees are using consumer file sharing and storage systems without taking any steps to keep the information safe and confidential. It’s a risky source of data leakage that companies need to address.

Redacted document

The Bigger Picture

When using file sharing apps such as Dropbox and Box, many people do not take simple precautions to ensure their highly sensitive data is secure. This also extends to confidential company data where findings are even more unsettling among corporations and businesses. The way their employees are saving and storing information is not ideal and as a result, the number of security breaches and data leaks continues to steadily increase. It is the employers’ responsibility to train, supervise and enforce appropriate workplace policies to prevent company data from finding its way into these products where sharing is unsecured.

Making Changes

So, what does this all mean? For one, our processes for sharing information are out of control. People are mistakenly sharing their highly personal information like they share drinks, passing them around in such a manner that has become so routine that people don’t even think twice.

If cutting back on identity theft and securing your personal information and confidential data is a priority, as it should be, here are some ways you can keep the bad guys out:

  • If your sensitive information has already been shared with the appropriate party, be sure to delete those files. Once those files are deleted, any person that gets their hands on that clickable URL will no longer have access to the information, ensuring your personal information stays personal. This also goes for sharing information in a public folder. Once you have already shared those files, delete them.

  • Do not mix work with pleasure. Keep your personal files off of your work computer and most importantly, in folders where work data and information is not stored. It may also be the case that your employer has rules about storing sensitive information on consumer-grade systems, so you could be in violation of law or contract if you put confidential information on those systems.

  • Use basic security settings to keep your information secure. Most applications will automatically set your files to ‘public.’ Before you start sharing sensitive information, change these settings to ‘private’ and then go ahead and invite specific people to view your folder’s contents.

  • Consider blocking access to consumer cloud storage and file sharing apps. There are secure alternatives to consumer apps, and your business needs to take control of how sensitive information is being used and shared. This is especially true for employees dealing with proprietary or regulated information, or who work with customer data.

  • This is also a privacy issue. The security implications of data leakage are obvious, but increasingly this is becoming a privacy issue — with significant legal repercussions for your organization. Personally Identifiable Information (PII) is protected by strong laws in different countries, and your company is potentially liable if this information isn’t adequately protected.

Interested in seeing what we’ve found in past years? You can visit our blogs here:



Daren Glenister

Daren Glenister

Daren Glenister is the Field CTO for Intralinks. In his role, he acts as a customer advocate, working with enterprise organizations to evangelize data collaboration solutions and translate customer business challenges into product requirements, helping to steer Intralinks’ product road map and the evolving secure collaboration market. Daren brings over 20 years of industry experience and leadership in security, compliance, secure collaboration and enterprise software having worked with many of the Fortune 1000 companies helping to turn business challenges into real world solutions.