How to Avoid Cloud Leaks When Sharing Files: The Misconfiguration Problem

The narrative around data leaks tends to focus on dramatic hacker attacks. The reality is more mundane and more preventable. A significant proportion of cloud data exposure incidents come from misconfiguration — sharing settings that are either wrong from the start or that drift into insecurity over time as files get shared, re-shared, and forgotten.

Understanding how this happens, and the specific settings that cause it, is more useful than generic advice to "be careful."

Also readShare Files Without Leaving a Trace on Any Server →

The Most Common Misconfiguration: "Anyone With the Link"

Google Drive, Dropbox, OneDrive, and Box all offer a sharing option that makes a file accessible to literally anyone who has the URL. No authentication required. No account needed. The link is the key.

This setting is genuinely useful for intentional public sharing — a downloadable resource on your website, a public dataset, a menu PDF. It becomes a problem when it's used by default for files that aren't meant to be public.

How it goes wrong in practice:

• You email a client a Google Drive link. The client's email is compromised — the attacker now has the link
• You share the link in a Slack channel. A screen is shared during a meeting and the URL is visible in the background
• The recipient forwards the email. The new recipient (who you don't know) now has permanent access
• The link gets copy-pasted into a document that later gets shared more broadly
• Google indexes some "public" links — this has happened with misconfigured Workspace settings

Real Incidents Caused by Misconfigured Sharing

These aren't hypotheticals. Misconfigured cloud sharing has caused documented incidents at organizations of all sizes:

• In 2017, Verizon's customer data (14 million records) was left publicly accessible on an Amazon S3 bucket by a third-party contractor. The FTC's data security guidance specifically calls out misconfigured cloud storage as a recurring cause of avoidable data exposure who had set the bucket to public access
• The same year, an NSA contractor's classified files were found on a publicly accessible S3 bucket due to misconfigured permissions
• Numerous healthcare organizations have exposed patient data via misconfigured Google Drive folders where an IT or admin employee shared a folder with "anyone with the link" intending internal access but achieving public access

These incidents weren't caused by sophisticated attacks. They were caused by a checkbox in a settings menu being in the wrong state.

The Permission Drift Problem

Even if you set permissions correctly initially, they can drift over time:

🛡️Related guideSecure File Transfer Between Devices: Complete Guide→

• You share a folder with specific people, then add new files — the new files inherit the folder permissions automatically
• You change a file to "public" temporarily for a specific purpose and forget to revert it
• Team members with edit access add people to shared folders you don't know about
• You leave a company but the shared folders you created remain accessible to others under your former account

Permission drift is hard to track manually. It requires deliberate auditing.

How to Share via Cloud Services Without Creating Leaks

Use the Most Restrictive Setting That Works

Always use the most restrictive sharing setting that still allows the intended use. If you're sharing with three specific people, use specific-email access — not "anyone with the link." If it needs to be a link (for ease of sharing), set an expiry date if the service supports it.

Set Expiry Dates on All Sensitive Shares

Dropbox Business, Google Workspace, and Box all support link expiry. Use it. A link that expires in 7 days for a client deliverable closes the exposure window automatically. You don't need to remember to revoke it.

Disable Resharing Permissions

On Google Drive, you can prevent recipients from resharing files. In the share settings, click "Settings" (gear icon) and uncheck "Editors can change permissions and share." This prevents your recipients from creating new shares you don't know about.

Do a Quarterly Shared Link Audit

In Google Drive: click the search bar, select "Accessible to Anyone with link" (in Drive's search options). You'll see every file you've made publicly accessible. Delete the ones you no longer need, restrict the ones that shouldn't be public.

Use encrypted Transfer for One-Time Sends

The cleanest solution to cloud misconfiguration risk for one-time file delivery is to not use cloud storage for that delivery. Zapfile's encrypted transfer creates no cloud share, no persistent link, and no permission settings to misconfigure. The file is encrypted in transit (TLS) and at rest (AES-256), then deleted automatically after the recipient downloads. Link expires after download. Nothing to audit later.

The Deeper Problem: Cloud Sharing Defaults Are Too Permissive

I think it's worth being direct about this: cloud storage services have historically defaulted to more permissive sharing than is appropriate for most use cases. "Anyone with the link" is a convenient default that benefits the service (more sharing, more usage, more data) but creates risk for users.

Google has tightened defaults over time following multiple incidents, but the permissive options remain one click away. The responsibility for using them correctly falls on the user — which means understanding what each option actually means, not just clicking the fastest path to a shareable link.

Building the habit of choosing the right tool for each sharing scenario — cloud storage for ongoing collaboration, encrypted tools for one-time delivery — is ultimately the most sustainable solution. It removes the misconfiguration surface area from the scenarios where it causes the most damage.