Yikes! WeTransfer sends users’ files to the wrong people, says it doesn’t know what happened

In the most embarrassing security incident so far in 2019, file sharing service WeTransfer has sent users’ files to the wrong inboxes for at least a full day last week. Worse still, the company says it can’t figure out what happened.

AWS Builder Community Hub

WeTransfer customers who used the service to share files between June 16 and June 17 have received the following notice from the company via email:

“We are writing to let you know about a security incident in which a number of WeTransfer service emails were sent to the wrong people. This happened on June 16th and 17th. Our team has been working tirelessly to correct and contain this situation and find out how it happened.

“We have learned that a transfer you sent or received was also delivered to some people it was not meant to go to. Our records show those files have been accessed, but almost certainly by the intended recipient. Nevertheless, as a precaution we blocked the link to prevent further downloads.”

Since WeTransfer also includes the email of the sender with the delivery of a file, customers are told to keep a close eye on their inboxes for suspicious activity.

In a separate advisory, WeTransfer says some users will notice they have been logged out of their account, or have been asked to reset their password. This was done on purpose, according to the notice, to “safeguard their account.” The Transfer links involved in the incident were also blocked to prevent files being downloaded by the wrong recipients.

The company failed to reveal the cause of the incident, saying only that, “We are still investigating the complete scope and cause of the incident, and will update further as soon as possible.”

The incident may have been caused by a programming bug, but WeTransfer may also have fallen victim to a cyber attack. We have contacted the company for clarification and we’ll update you when (if) we get a response.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Filip Truta. Read the original post at: