The file-sharing platform ownCloud has released a security advisory encouraging all users to enable multi-factor authentication (MFA) to reduce the risk of unauthorized account access. The warning follows reports that attackers have been gaining access to self-hosted ownCloud environments using stolen login credentials.
According to findings from Israeli cyber-intelligence firm Hudson Rock, several organizations were affected after attackers logged into ownCloud instances—including some running the Community Edition—using valid usernames and passwords obtained elsewhere. ownCloud emphasized that its software was not compromised, nor was any zero-day vulnerability exploited. Instead, the incidents stemmed from credential theft.
How the credentials were stolen
The stolen login details were traced back to infostealer malware infections on employee devices. Malware families such as RedLine, Lumma, and Vidar were used to harvest usernames and passwords, which were later abused by threat actors.
Because MFA was not enabled, attackers could successfully sign in using only these credentials. In some cases, the same access method was used to reach other cloud-based file-sharing platforms such as Citrix ShareFile and Nextcloud, allowing them to view or exfiltrate sensitive data.
Key risk factors
Investigations found that the lack of MFA was a major contributor to the breaches. Additionally, some of the compromised credentials had been circulating on underground forums for years, often due to weak password practices and infrequent password changes, making them easy targets for reuse.
ownCloud’s security recommendations
To reduce exposure, ownCloud advises organizations to:
- Enable MFA on all user accounts
- Force password resets across the environment
- Invalidate existing login sessions so users must re-authenticate
- Closely review access and authentication logs for unusual activity
Why MFA is critical
MFA adds an extra verification step beyond a password, such as a one-time code or authentication app approval. This additional layer significantly limits the usefulness of stolen credentials and can prevent account takeovers—even when attackers already have valid usernames and passwords.
