Mr. Wang from Chaoyang District, Beijing recently encountered a puzzling incident: an unfamiliar folder inexplicably appeared in his online storage. On November 26th, Mr. Wang opened a certain online storage as usual to view backup materials, but found an unfamiliar folder named "XXX Knowledge Q&A" in the file list, with the addition time displayed as 11 noon that day. This left Mr. Wang feeling confused: 'Why did someone else's files appear in my online storage?' He had no idea about it and contacted customer service, but they did not provide a reasonable explanation. Mr. Wang's experience is not an exception. With its convenient access at any time, cloud storage has become an "online safe" for many internet users to store their data and photos. However, investigations by reporters have found that several users have recently encountered situations where photos and documents of strangers suddenly appear in online storage, which has raised strong doubts about the privacy and security of online storage. Mr. Li from Changning District, Shanghai, is a loyal user of a certain online storage platform, where a large number of personal photos and work and study materials are stored. Recently, while using the cloud storage normally, his account suddenly popped up a notification saying "This device has been logged out", indicating that the reason was "This device has been logged out of the same account device". Mr. Li recalled that the online storage account was registered and bound with his previous mobile phone number. Although he later changed his phone number, the online storage account has been used until now and has completed real name authentication. This account should only belong to me. "After consulting customer service, he learned that someone had used his previous phone number to log in to the online storage account by receiving a SMS verification code. If you can log in with just one phone number, what is the significance of setting a password and real name authentication for your account? How to ensure the security of online storage? ”Mr. Li stated that he is currently in communication with the platform and attempting to rebind his phone number. Coincidentally, the reporter searched for keywords such as "stranger login to online storage" and "stranger photos of online storage" on a certain social media platform and found that many users encountered similar situations. A netizen posted a post claiming that someone else's phone backup suddenly appeared in his private account on a certain online storage platform, followed by a large amount of "foreign" materials: portraits of strangers, family scenes, cartoons, etc. In the comment section below the post, multiple netizens have expressed similar experiences. A user with the nickname "I love to eat xxx" said that after changing their phone number, they did not log in to the cloud storage and found many unfamiliar photos when logging in again. Recently, Beijing Fourth Intermediate People's Court released a typical case of personal information rights protection. Xiao is a real name user of a certain online storage platform, and he needs to use the platform to store paid bidding documents for work purposes. In 2023, Xiao discovered that there were unknown device login records from 2021 and 2023 on the cloud storage, and also logged into other apps developed by platform affiliated companies. Unknown folders appeared in the cloud storage, and he suspected that the account had been logged in abnormally and the files had been leaked. After repeatedly applying to the online storage operation technology company to obtain complete login details but being rejected, Xiao sued the company to the court. The first instance court rejected Xiao's appeal on the grounds that he could access recent records and did not explicitly request an "abnormal login" query. Xiao disagrees and files an appeal. The second instance court held that the query function provided by the technology company had information deficiencies and limitations, failed to fully fulfill its obligations, and did not comply with relevant legal provisions. Therefore, the court ruled that the company should provide Xiao with a complete copy of the login records within a specific time period within a specified time limit. The second account release caused confusion during login. Upon inspection, the reporter found that the official introduction of a certain online storage app stated that users upload files to cloud storage through devices such as computers and mobile phones. The upload process involves dividing the data into small pieces and transferring them to the ECS over the Internet. And cloud storage providers use specialized software to manage data stored in the cloud. Users can access files stored in cloud disks anytime and anywhere through the Internet. The cloud storage app specifically states that cloud storage service providers usually adopt multi-level security measures to protect user data, including data encryption, access control, identity verification, and other measures. In addition to the aforementioned apps, many cloud drives also provide user-defined privacy settings, allowing users to decide which files to share with others and which files to keep private. On one hand, the platform repeatedly emphasizes the privacy of online storage, while on the other hand, there are constantly emerging situations of abnormal account login and intrusion of unfamiliar data. What are the reasons behind it? The reporter's investigation found that multiple users who experienced abnormal login have a common feature - they have changed their phone numbers before and after using the cloud storage account. The new phone number owner can log in to the cloud storage account linked to the previous phone number for the second call. ”A Tianjin cloud storage user told reporters that they have been using a certain cloud storage for 12 years, and the phone number bound at that time has already been changed. Not long ago, when he logged into his online storage account, he found that someone was using the phone number to log in and log out of his account. He has appealed to the platform multiple times, but every time he gets stuck receiving a verification code on his phone. He turned to trying to contact the number owner but was unsuccessful, and even got blocked by the other party. There are still many of my old photos and information in the online storage, which cannot be logged in, so these memories cannot be found. ”The user helplessly said that he would continue to try to complain to the platform, "It's clearly my account, how can we only recognize the phone number?" Public information shows that "secondary number release" refers to the number recycling mechanism in which old users stop or abandon their phone numbers, and the numbers are taken back by the operator and re released to the market 90 days after cancellation. According to current regulations, the minimum time limit for freezing mobile phone numbers is 90 days. During the freezing period, operators need to strip package, points and other business information, but cannot clear third-party platform bound data. The reporter used a mobile phone number that was processed in July this year to test on a certain online storage platform. When logging in, the first step was to jump to the "Account Management" interface, where "Unbind and Register" was displayed at the top and the account with the username "Huang XX" was displayed below. At the same time, the platform reminds that the phone number used by the journalist was resold by the operator and may not belong to the journalist's online storage account. For this, the reporter called the mobile phone number operator. The staff explained that the number was not unbound when the original account owner cancelled it, and the operator could only provide a "renewal" service. Journalists can log in to the mini program to unbind all associated accounts under the number with one click. What are the hidden dangers exposed by the issue of abnormal login to cloud storage that should be strengthened with security measures? Xie Lianjie, senior partner of Beijing Yingke (Shanghai) Law Firm, introduced that the security crisis of online storage is a systemic risk caused by multiple factors. He further explained that the single authentication mechanism of "account+password" does have inherent flaws, which are easily broken through by brute force cracking or password leakage, and cannot form a closed-loop protection for identity verification. Some platforms suffer from insufficient security investment and prioritize risk prevention and control over user growth. For example, the lack of proactive promotion of multi factor authentication (such as SMS verification and facial recognition), insufficient monitoring of abnormal login, and failure to establish real-time risk interception mechanisms have resulted in technical vulnerabilities not being remedied through management measures. Zhu Jie, Senior Partner of Taihe Tai (Chongqing) Law Firm, pointed out that some online storage platforms have not adopted intelligent monitoring systems to identify abnormal logins in real time (such as IP address mutations and unfamiliar login devices), and lack a "minute level warning" mechanism (such as SMS reminders to users that "accounts are logged in from different places"), which makes it difficult to intercept illegal access in a timely manner. The platform urgently needs to build a compliance defense line. Xie Lianjie believes that according to existing regulations, the platform bears corresponding legal responsibility for "abnormal login states caused by non user intentions". Firstly, there is civil liability. If a user's information is leaked or their property is damaged due to failure to fulfill their security obligations, they should bear the liability for compensation for infringement damages; Secondly, there is administrative responsibility. Those who violate relevant provisions of the Cybersecurity Law and the Personal Information Protection Law, fail to fulfill their obligations of cybersecurity protection, or refuse to provide user information query services may be subject to administrative penalties such as warnings, fines, and orders to suspend business for rectification; Finally, there is criminal responsibility. If a platform knowingly engages in hacker attacks, illegal login, and other situations but fails to take necessary measures, resulting in a large amount of user information leakage, and the circumstances are serious, it may constitute the crime of refusing to fulfill its information network security management obligations. The interviewed experts pointed out that the platform for operating cloud storage should effectively strengthen network security, provide specific security measures such as verification, dynamic verification, IP address login prompts, etc. Xie Lianjie mentioned that according to the Cybersecurity Law and the Personal Information Protection Law, platforms should fulfill the following obligations: establish and improve security management systems and technical protection systems, implement security measures such as multi factor authentication; Retain login logs, operation records, and other information for at least 6 months; Promptly alert and inform users after discovering abnormal login; Provide users with convenient ways to query, correct, and delete personal information; After a user complaint, promptly verify and provide necessary evidence support; Immediately take remedial measures and report to regulatory authorities in case of information leakage. Zhu Jie suggests that when individuals encounter abnormal login to online storage, they can achieve protection through "prevention in advance, response in the process, and rights protection afterwards". Specifically, carefully read the service agreement and privacy policy before using cloud storage, avoid using "weak passwords", and take measures such as enabling secondary authentication; After discovering any abnormalities, immediately appeal to the platform and request control of the account (such as locking the account, changing passwords), cutting off the hacker's permissions; If the platform refuses to provide complete login records, it can sue the court and demand that the platform fulfill its obligations. (New Society)