Data Leakage from Owncloud & Nextcloud: Operations Failed, Not the Software

Current reports of massive data leakage from self-hosted Owncloud, Nextcloud, and ShareFile instances are technically unspectacular – and that is exactly what makes them so problematic. There was no zero-day, no compromised encryption, no architectural flaw in the software. Access was gained using valid user accounts. In some cases, with credentials that were years old.

Those who derive an “open source problem” from this fundamentally misjudge the situation.

What Happened?

Attackers used credentials that were previously snatched from end devices via so-called infostealer malware. Redline, Lumma, Vidar, and similar variants extract stored passwords, browser data, and session information. This data does not end up in attacks immediately, but often for months or years in log collections traded on underground marketplaces.

In the cases that have now become known, exactly such old logs were evaluated. The attackers specifically looked for access to cloud and file-sharing systems – and found it. The login worked because no additional authentication was requested. No MFA, no additional factor, no hurdle.

Why the Software Was Not the Problem

Owncloud and Nextcloud have long supported:

• Multi-factor authentication (TOTP, hardware tokens, app-based)
• Central password policies
• Session management including session invalidation
• Detailed audit and access logs
• Role and permission models

All these mechanisms were available. They were just not consistently used. MFA was optional instead of mandatory. Existing sessions remained valid even after credentials had long been compromised. Passwords were not rotated regularly. Logs were not actively evaluated but at best archived.

This is not a software error. It is an operational error.

The Actual Attack Vector: Lack of Security Discipline

Technically, the attack was trivial:

1. Infostealer infects an end device.
2. Credentials are extracted and stored in logs.
3. Logs are later evaluated by an initial access broker.
4. Login with username and password.
5. Full access to productive cloud data.

This sequence only works under one condition: the second factor is missing. As soon as MFA is enforced, these credentials are worthless. That is exactly why MFA is not a “nice-to-have” but a basic requirement for every internet-exposed system.

The fact that passwords sometimes years old were still valid shows another structural problem: compromised credentials are not treated as a security incident but as a side note. Yet it has long been known that infostealer logs are one of the most important sources for today’s attacks.

Open Source as a False Scapegoat

In public debate, the accusation reflexively arises that self-hosted or open-source-based solutions are less secure than proprietary cloud offerings. The current incidents prove the opposite.

The security of the software used was sufficient. The configuration was not. Those who hold open source responsible here shift responsibility – away from their own operations, toward the license form. This is convenient, but wrong.

A proprietary system without enforced MFA would have been compromised in exactly the same way.

What Is Now Imperatively Required

The recommendations for action are technically clear and not new:

• MFA mandatory for all users, without exceptions
• Immediate invalidation of all active sessions after activating MFA
• Regular rotation of passwords, especially for privileged accounts
• Active evaluation of access logs for anomalies
• Assume that credentials are compromised – not the hope that they are not

Self-hosting means not only control but also responsibility. Those who want digital sovereignty must implement it operationally. Not on paper, not in strategies, but in daily administration.

Conclusion

These incidents are not evidence against open source. They are proof that security features are worthless if they are not used. The software delivered. The operations did not.

Open source was not the weak point here. A lack of consistency was.