WeTransfer Security Incident Sent Files to the Wrong People

In an embarrassing security incident, the WeTransfer file sharing service announced that for two days it was sending it's users shared files to the wrong people. As this service is used to transfer what are considered private, and potentially sensitive files, this could be a big privacy issue for affected users.

Starting today, users began to receive emails from WeTransfer [1, 2, 3] stating that on June 16th and 17th, files sent using the WeTransfer service were also delivered to people that they were not meant to go to.

The email goes on to say that the team doesn't know what happened and that they are working to contain the situation.

The full text of this email reads:

Dear WeTransfer user,

We are writing to let you know about a security incident in which a number of WeTransfer service emails were sent to the wrong people. This happened on June 16th and 17th. Our team has been working tirelessly to correct and contain this situation and find out how it happened.

We have learned that a transfer you sent or received was also delivered to some people it was not meant to go to. Our records show those files have been accessed, but almost certainly by the intended recipient. Nevertheless, as a precaution we blocked the link to prevent further downloads.

As your email address was also included in the transfer email, please keep an eye out for any suspicious or unusual emails you receive.

We understand how important your data is and never take your trust in our service for granted. If you have any questions or concerns, just reply to this email to contact our support team.

The WeTransfer Team

WeTransfer posted a security notice on their web site that some accounts were logged out and had their passwords reset to protect their accounts and that they blocked access to the Transfer links that were involved in the incident. They did not, though, provide any further details on how this happened in the first place.

"This incident took place on June 16th and 17th, and upon discovery, we immediately took precautionary security measures to protect our users," stated WeTransfer's security notice. "This means that users might have been logged out of their account or asked to reset their password in order to safeguard their account. Additionally, we have blocked Transfer links to ensure the security of our users’ Transfers."

If this was simply a programming mistake on WeTransfer's end, it is peculiar that they had to reset user's passwords or felt the need to protect them. This could indicate a more serious issue, such as a breach of their network.

BleepingComputer has contacted WeTransfer about this incident but had not heard back at the time of this publication.

Thx to John for the tip!