According to an advisory emailed to affected users, and confirmed on the WeTransfer website, the service sent emails containing file transfer links to unintended email addresses on June 16 and 17.
As a consequence, unauthorised parties could have accessed private files you were attempting to transfer to a trusted party.
The statement on WeTransfer’s website read as follows:
We discovered a security incident on Monday, June 17th, where e-mails supporting our services were sent to unintended e-mail addresses. We are currently informing potentially affected users and have informed the relevant authorities.
This incident took place on June 16th and 17th, and upon discovery, we immediately took precautionary security measures to protect our users. This means that users might have been logged out of their account or asked to reset their password in order to safeguard their account. Additionally, we have blocked Transfer links to ensure the security of our users’ Transfers.
Unfortunately, WeTransfer’s brief statement leaves plenty of questions hanging in the air:
- How many users were affected? How many email transfer links were sent to unauthorised parties?
- How many email addresses were the errant file transfer link messages sent to?
- Were the unauthorised email recipients seemingly random? Other users of WeTransfer? Or was it just a small number of email addresses that received all the messages?
- Was this a screw-up or the result of a malicious act?
- If it is believed it was malicious – have the authorities been informed?
- What steps have been taken to prevent a similar incident occurring again in the future?
- WeTransfer claims to be GDPR-compliant, and is based in the EU. Considering the potential sensitive nature of information that might have been being transferred, has the security breach been reported to data protection regulators?
The free version of WeTransfer does not give you the option of password-protecting the download links it sends when you try to share a file with a friend or colleague.
My advice would be to always encrypt sensitive information with a hard-to-crack, unique password before entrusting it to a cloud-based file-sharing service like WeTransfer. And then, of course, use a different medium than email to get that password to the intended recipient.
At least that way you know that you’ve made it considerably less likely that an unauthorised party will be able to snoop through your information if the file-sharing service suffers a security snafu.