A misunderstanding over the document sharing features in Microsoft Office 365 has led to users accidentally sharing highly sensitive documents online - with the documents even being picked-up and indexed by Google and Bing search engines.
The security glitch arises as a result of users not understanding how the sharing function in the cloud-based office application suite works.
Passwords and health information were among the documents found via Docs.com, the search engine element of Microsoft's online Office suite.
Security architect Kevin Beaumont revealed the problem in a series of tweets in which he outlined some of his findings.
.@InvertedLina there's loads. People clearly don't understand how the service works. It defaults to Publicly accessible, which is the prob.— Kevin Beaumont (@GossiTheDog) March 27, 2017
Microsoft has already said it is "working on" a solution. It took down the search box from docs.com but it has since reappeared without a fix for the problem.
A statement from Microsoft said: "As part of our commitment to protect customers, we're taking steps to help those who may have inadvertently published documents with sensitive information."
"Customers can review and update their settings by logging into their account at www.docs.com".
The problem comes in the way that sharing of documents is handled. The default is to share a document with all and sundry, and that makes it available for public indexing.
To share with a private group, you have to specify the group or individuals within it separately. The same is true of other sharing services, such as Dropbox and Google Drive, but they don't seem to be leaking information in the same way.
According to the BBC, further investigations have revealed that the information not only remains freely available, but has also been cached on both Google and Bing, and is still available even after deletion.
Information including National Insurance numbers, social security details, banking details and passwords were among the nuggets found by the white-hat community, which began exploring the exploits after Beaumont unearthed them.
Morphisec discovered malware compromise first, claims Avast, not Cisco
Fabes has held senior IT positions for over 30 years
Can Alienware's latest and greatest topple the mighty ASUS ROG Zephyrus as the most powerful gaming ultrabook we've seen?
Jacky Wright takes over from interim CDIO Mike Potter