In a security advisory ownCloud urged users today to enable multi-factor authentication to block attackers using compromised credentials from stealing data across its more than 200 million users worldwide.
KEY FACTS
- Incident Credential theft used to access self-hosted file sharing instances
- Scope ownCloud has more than 200 million users worldwide
- Cause Credentials taken from employee devices by infostealer malware
- Recommended actions Enable MFA, reset passwords, invalidate sessions
The advisory says the ownCloud platform itself was not hacked or breached and that no zero-day exploits or platform vulnerabilities were involved.
Attackers obtained user credentials via infostealer malware such as RedLine, Lumma, and Vidar and then used those credentials to log in to accounts that did not have multi-factor authentication enabled (January 5 report by Hudson Rock).
ownCloud advised administrators to enable MFA immediately, reset all user passwords, invalidate active sessions to force re-authentication, and review access logs for suspicious logins.
Threat actor Zestix has offered corporate data that appears to be stolen from dozens of companies after breaches of ShareFile, Nextcloud, and ownCloud instances. Thousands of infected computers were identified, including systems on the networks of several high-profile organizations.
WHY IT MATTERS
Enabling multi-factor authentication can block account takeover when credentials are compromised. Immediate resets and session invalidation reduce the risk of ongoing unauthorized access to corporate file shares.