Microsoft has quietly removed a feature on its document sharing site Docs.com that allowed anyone to search through millions of files for sensitive and personal information.
Users had complained over the weekend on Twitter that anyone could use the site’s search box to trawl through publicly-accessible documents and files stored on the site, which were clearly meant to remain private.
Among the files reviewed by ZDNet, and seen by others who tweeted about them, included password lists, job acceptance letters, investment portfolios, divorce settlement agreements, and credit card statements — some of which contained Social Security and driving license numbers, dates of birth, phone numbers, and email and postal addresses.
The company removed of the site’s search feature late on Saturday, but others observed that the files were still cached in Google’s search results, as well as Microsoft’s own search engine, Bing.
We’re not publishing or linking to any of the documents or files.
We left a voicemail with one of the people whose phone number was listed a document they purportedly published, but did not hear back at the time of writing.
In an age of data breaches, leaks, and exposures, this incident falls within a unique set of parameters.
It’s clear that Microsoft hasn’t suffered a data breach, though its users have inadvertently had their data exposed. Who’s to blame depends on how you look at it. All of the documents would have been uploaded by the owner, but may not have realized that each document could be made public, which is Docs.com’s default uploading setting, say compared to files created or edited with Word and Excel Online, which are private until set otherwise.
But by Microsoft’s effort to pull the search feature for now shows there’s some responsibility on the software giant’s part.
Microsoft did not comment at the time of writing. If that changes, we’ll update.