Not Your Documents Anymore: How Cloud Storage Looks Through a Hacker’s Eyes
Services like Dropbox or Megaupload are convenient inventions: you can always have the documents you need at hand. But if you don’t pay attention to security, this convenience can turn into a leak of important personal data. In this article, I’ll show you how cloud storage and file-sharing services become targets for hackers, allowing them to steal important documents and gather material for blackmail.
WARNING
This material is for informational purposes only and does not encourage violating anyone’s privacy. Unauthorized access to information is a criminal offense. The author and editors are not responsible for any harm caused by the use of information from this article or attempts to repeat the actions described.
How Hackers Get In
Major file-sharing services are constantly improving data protection and usually offer two-factor authentication, but the option to log in with just a username and password is still available and widely used. Does this help hackers? Absolutely.
There are many ways to hack accounts: phishing, stealers, brute-forcing passwords, and even high-tech attacks on providers and mobile operators to intercept confirmation codes. But most often, hackers use credential stuffing—logging in with credentials from leaked databases. People don’t like coming up with different passwords for different services, and password managers are still mostly used by advanced users.
Why Are Stolen Passwords So Common?
Credentials are actively traded in the shady corners of the internet. I visited five such places to study the offerings and prices. On average, here’s what I found:
- $300–$350 for a million login-password or email-password combinations
- $400–$500 for a million combinations from corporate email accounts and their passwords (a prime target for scammers)
- $250 for a million combinations in “mixed databases,” which can include any domains
Sometimes it’s cheaper or more expensive. You’ll also often find the raw leaked databases themselves, but sorting through huge dumps is a separate, challenging task.
And of course, stealers are widely sold—malware that can grab other people’s accounts. For example, the AZORult stealer costs $100, while UFR Stealer goes for just $20–$50.
What’s in the Cloud?
We got our hands on several accounts similar to those sold on underground forums. They were selected specifically, so all of them were accessible and contained something inside. Let’s take a look—strictly for research purposes. When accessing these accounts, I only took screenshots to demonstrate typical contents.
Example 1: The Abandoned Account
This is a Dropbox account created in Germany. Inside are two folders: one empty, the other containing photos of cars and documents, likely related to car damage. There are 161 images in total; the last change was in November 2020.
There’s probably nothing here for a hacker or blackmailer, and there’s been no activity on this account for a long time, so it’s likely abandoned—just like a good half of the accounts for sale.
Why do people abandon their storage? There are many reasons, but the most common is a forgotten password and not wanting to bother with recovery. Meanwhile, personal data can sit there for years.
Example 2: Other People’s Passports
Another Dropbox account, this time with more interesting content. Not just photos of the owner snowboarding, but a whole stash of documents clearly belonging to people other than the owner or their family.
It’s hard to say how the account owner collected all this or why they’re storing it. Maybe they had a legitimate reason. But the disturbing part is the thought that scans of your passport or driver’s license can end up (and regularly do) in the hands of people who don’t know basic security measures.
Example 3: Credit Card
Uploading party photos to Dropbox is normal. But adding a credit card photo—front and back—to the same folder is, to put it mildly, not a great idea.
In the same folder were the owner’s documents and an active WhatsApp group QR code (with just one member). I didn’t check further.
Example 4: Paid Account
This Dropbox account wouldn’t be notable if it weren’t paid up for a year in advance. Yet it’s barely used—only 3.6 GB out of 2 TB is occupied.
Looks like the account was simply forgotten, and a hacker could use it for any creative purpose.
Example 5: Password in the Trash
The service pCloud isn’t very well-known, but you’ll find it in compromised account databases. Here’s what’s interesting: if you look past the vacation photos and check the left panel, you’ll see an encrypted storage section.
There’s also a trash bin, and inside it—some files. One of them (named wtf.dat) contained a long key that successfully unlocked the encrypted section.
We found Russian passports, credit cards, driver’s licenses, and insurance certificates.
Moral: Empty your trash sometimes, and if you throw something important in there, clear it right away.
Example 6: Firearms
Here’s an account where the owner has basically collected a ready-made set of compromising material. Along with the usual documents are self-portraits from various angles, including very intimate ones, and photos of weapons—both regular and gold-plated.
Example 7: Piracy
If you think IT-savvy people take their data security much more seriously, you’re mistaken. Here’s a MediaFire account belonging to a Russian-speaking user. He stores pirated software there—about fifty programs and utilities.
Dear owner, if you recognize your stash, note that Disk Defrag Ultimate and some of your other files are flagged by antivirus software. And of course, go change your passwords everywhere you can.
Example 8: Inception
Surely hackers know something about account security? They should, and probably do. But the habit of reusing the same password is hard to break—even when storing files like “card.txt.”
This MediaFire account had all sorts of things: money-making methods, carding tutorials, shady schemes, materials for those schemes, and a bunch of other illegal info.
All files had zero downloads, so this is probably just a backup. We didn’t touch these questionable files, and you shouldn’t either.
Examples 9 & 10: InfoSec “Experts”
Think that was a one-off? Here are two more accounts from would-be hackers on Megaupload. One contains Metasploit courses, a set of hacking utilities, and a web defense guide.
Another stores offensive tools: a web vulnerability scanner (an outdated version of Acunetix 10.0) and the Cobalt Strike framework.
How Not to Become a Victim
It goes without saying that all the accounts above lacked proper protection. The owners should have followed at least basic digital hygiene rules.
It can be tough to avoid a targeted attack, but most hacks are mass attacks. They use huge databases or leaks from various compromised services to guess passwords. To protect yourself, just follow a few simple recommendations:
- Use strong and, even more importantly, unique passwords. Use a password manager to create and store them: 1Password, KeePass, Apple’s iCloud Keychain, or others—pick your favorite.
- Enable two-factor authentication (2FA). While it has its limitations, it’s still a serious barrier for anyone trying to guess your password. Don’t neglect it if it’s available, and prefer services that support it.
- Encrypt your files. Encryption is the last line of defense that will protect your important documents even if your account is hacked. Just don’t use the same password for the container, and don’t leave it lying around!
Cloud service developers are also doing their part to keep user data safe. For example, Google services not only regularly prompt you to add a second factor, but even without it, they’ll notify you of access attempts and block brute-force attacks right away. So all you have to do is not undermine or ignore these efforts.