• United States



Microsoft axed search option after private files were shared publicly

Mar 26, 20173 mins
Data and Information SecurityMicrosoftSecurity

Microsoft quietly removed the search option on after potential PEBKAC/ID10T errors; users set private and sensitive files to be viewed publicly

controlling privacy
Credit: Thinkstock, Microsoft’s site that is described as “showcase and discover Microsoft Word, Excel, PowerPoint, OneNote, Sway and PDF document for free,” came under fire over the weekend as Twitter users started complaining that users of the site had inadvertently shared private and sensitive information with the world.

The site had a search functionality that would allow anyone to search through millions of files. When some users uploaded private information, they did not change the permissions from the default setting to share content publicly. Yet after people started tweeting screenshots of sensitive information, Microsoft quietly removed the search functionality on Saturday.

When Microsoft announced the relaunch of in 2015, the service was said to be very search-engine friendly. That feature meant that even after Microsoft removed the search functionality from, the files could still be found because they had been cached by Bing and Google.

Microsoft previously said, “ is typically used to share information publicly and make it easily discoverable by search engines.” But in November 2016, the company tried to “make sure that Office 365 customers are fully aware of the benefits and risks of using the service.”

It was Microsoft’s attempt to ensure organizations’ security and privacy via the addition of an “organization visibility” feature. Users would see the share content publicly permission “at least twice” before manually confirming that content would “appear on the internet and in search engines.”

Before work and school account users could share information publicly, their Office 365 Tenant Administrator of record had to “opt-in” on behalf of the school or work organization. “Opting in” meant “that any user will be able to sign-in into with their work or school account and use it to share content with people using one of the following categories: Organization: Sharing only with signed in users from the same organization; Limited: Sharing a link that is not exposed to search engines by but can be viewed by anyone who knows the link URL; Public: Sharing openly including with search engines.” default upload setting is public

The options were not the same for regular users who were not part of an organization. For example, Twitter user @TinkerSec said was leaking personally identifiable information such as divorce settlement agreements, loan applications, custody agreements, birth certificates and social security numbers. Others claimed they found password lists, credit card statements, driver’s license numbers and more. Even though Microsoft said users could choose who views their files, it’s doubtful any user would purposely set out to make such things publicly accessible.

ZDNet reported, “All of the documents would have been uploaded by the owner, but may not have realized that each document could be made public, which is’s default uploading setting, say compared to files created or edited with Word and Excel Online, which are private until set otherwise.”

Microsoft told ZDNet it “was ‘taking steps to help those who may have inadvertently published documents with sensitive information’ and advised users to review and update their settings by logging into their account.”

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.