Lost in the clouds: Your private data has been indexed by Google

Personal and sensitive information discovered with a few simple searches

1 2 3 Page 2
Page 2 of 3

What types of files are we talking about here?

Everything, seriously, and we can include the kitchen sink.

XSS discovered archives dating as far back as 2004, but several were updated as recently as March, 2015.

[Slideshow: Lost in the clouds: 7 examples of compromised personal information]

The indexed files included passwords, private photos (SFW / NSFW), personal journals and diaries, family genealogy documents, email correspondence, general household documentation and records, passports, state IDs, tax records, financial statements, credit card statements and account details, mortgage documents, banking statements and account details, birth records, death records, research and development planning, sales planning, customer lists, prospect lists, and more.

In one of the larger archives, XSS discovered a tremendous amount of personal information. The archive contained a family's computer backups dating back to 2009. If it was stored on the computers used by this family, it was eventually archived by their Western Digital drive and indexed by Google.

[ 8 tips to enhance your online privacy ]

But the external drive wasn't the issue; their router – a Linksys WRT1900AC – had FTP enabled somehow. How this came to be remains unknown, but because the drive was connected to the router, its contents were treated as public records.

By looking at the files on the drive, it was entirely possible to map the family's personal and financial history over the last five years. When warned about the problem, the family shared an interesting story with XSS.

Towards the end of last year, their debit and credit cards kept getting compromised.

"I simply could not figure out how someone got the [card] info minutes after I'd activate them. My system was clean and secured more than the average person," said one member of the family, who asked that their names be left out of the story.

"Now I know. [It's not] difficult when my backups were public and being indexed on Google. I got into a habit, a bad one, of storing the card info in a text file similar to many of the ones you found... When I got all of our new cards after the second time, I didn't update the text file and the problem stopped. While there are a lot of files I wouldn't want to share with others, especially people I don't know, that was probably the most sensitive from an identity standpoint."

This family, like the others that were discovered while researching this story, were contacted about the problem, and their files have been removed from search listings.

Next: The technical details.

1 2 3 Page 2
Page 2 of 3
NEW! Download the Winter 2018 issue of Security Smart