WeTransfer Security Fail: Files sent to wrong recipients for two days

WeTransfer Security Fail: Files sent to wrong recipients for two days

The ‘Security Incident’

Did you send any files using WeTransfer on June 16th and 17th last week?
If the answer is yes, you might want to check your inbox in case you’ve received some unfortunate news from them.

Last Friday, the popular file-sharing service started notifying users that they suffered a ‘security incident’ during which it sent shared files to unintended recipients for two whole days:

Apart from informing impacted customers by email, WeTransfer also posted a security notice on its website disclosing the security incident.

Here’s what we know so far:

  • Files shared via the service on June 16-17 reached unintended recipients, number unknown
  • WeTransfer so far is unsure what the cause of the breach is
  • In the meantime, they logged out of user accounts and force reset passwords
  • They also blocked all Transfer links involved in the incident

WeTransfer finishes the security notice by reassuring users that:
“We understand how important our users’ data is and never take their trust in our service for granted. We are still investigating the complete scope and cause of the incident, and will update further as soon as possible.”

Unfortunately, WeTransfer’s brief statement leaves us with more questions than answers. To start with, how many users were affected in the incident and how many people were their files shared with? Was this the result of a bug or a malicious attack?

And perhaps most critically, what measures will they take to prevent similar issues from happening again in the future?
While we hang tight for more information about the security incident, let’s examine a key lesson learned from this latest security fail; the importance of end-to-end encryption.

Lessons Learned

What happened with WeTransfer is not an isolated incident but rather, a design flaw that consistently causes data breaches across mainstream file-sharing services.

To give you a few examples, in recent years, 68 million Dropbox passwords have been leaked online, sensitive data from dozens of companies was compromised due to misconfigured Box accounts, and 773 Million email addresses and passwords were exposed in a breach of file sharing service MEGA.

So when you find yourself researching different online file-sharing services, it’s important to look for end-to-end encryption rather than just encryption, which doesn’t in itself guarantee full security coverage for your files. Keep an eye out for handy additional features too, like password setting and expiration dates, to have as much control over your files as possible.

There’s also another key distinction to take note of during your evaluation process. As we’ve said before and will say again, there is a huge difference between services which tack on security features as an afterthought and companies who make the safety of your data their priority from the ground up.

Consumer-grade file sharing services simply don’t provide the same level of security that privacy focused services, like our own Tresorit Send does for instance. How do we do achieve that? Read on to find out.

What we do differently

We use patented, zero-knowledge, end-to-end encryption to make sure that your files get safely from point A to Point B.

Tresorit encrypts all files and relevant metadata on your devices with unique, randomly generated encryption keys. These keys are never sent to our servers in their unencrypted state, meaning that you and the people you share the files with are the only ones who can see them. Nobody else, not even hackers if they were able to breach our system, would be able to download your files in a readable format.

And unlike other services, Tresorit never shares or stores files, encryption keys or passwords in their unencrypted or ‘unhashed’ form. For example, if you send a link with Tresorit Send, the encryption is done in your browser and not on our server. As a result, we can’t see the link and therefore, we can’t share it or send it to the wrong recipients as WeTransfer has inadvertently done.

This is the zero-knowledge part of our approach; nobody can see your content except you and whoever you give access to, not even us. For additional security, you can also set up passwords and activity logs on all links you send out, which we always recommend to make sure all your bases are covered.

So if you’re looking for a truly safe way to send files online, you’re in the right place. Try the benefits of end-to-end encryption for free with Tresorit Send (for up to 5GB), or check out Tresorit Personal or Business for even more powerful content collaboration features.

Were you affected by this latest breach? Help us spread awareness of these security risks by sharing this post on Twitter, Facebook and LinkedIn using the buttons below.