PanicStation.org
UK USA
uk Technology & digital loss sharing link appeared • unknown sharing link • unauthorised sharing link • link created without me • file shared without permission • activity log shows sharing • drive activity log • onedrive activity log • dropbox shared link created • private file link leaked • unexpected public link • someone accessed my cloud files • account may be compromised • suspicious file sharing • external sharing turned on • “anyone with link” enabled • file permissions changed • unauthorised link sharing • cloud storage breach scare

What to do if…
a sharing link to a private file appears in activity logs and you did not create it

Short answer

Treat it as a potential account compromise: revoke the link / stop sharing on that file immediately, then secure your account (password + 2-step + sign out of other devices).

Do not do these things

  • Don’t open the sharing link to “test it.” If you need it for IT/support, record the link text only—don’t visit it and don’t forward it.
  • Don’t delete the file or your whole account in panic (you may erase audit trails and make recovery harder).
  • Don’t message unknown recipients or “support” contacts you find in logs (impersonation scams are common).
  • Don’t assume it’s a glitch if you can’t explain it—treat it as real until you’ve checked.
  • Don’t create new public links as a workaround (you may widen exposure).

What to do now

  1. Freeze the exposure on the file (do this first).
    • Open the file’s sharing/permissions panel.
    • Delete the unexpected sharing link and/or change “general access” to Restricted / Only people added.
    • If the service supports it, choose Stop sharing entirely for the item.
  2. Check who/what has access right now.
    • In the same sharing/“manage access” view, look for:
      • Any new people you don’t recognise.
      • Any “Anyone with the link” / public access settings.
      • Any editor permissions that shouldn’t exist.
    • Remove unknown people, and reduce access to the minimum needed (view-only if you must keep it shared).
  3. Capture the key details before they change.
    • Screenshot or note: file name/path, timestamp, link type (view/edit), and any listed IP/device/session info.
    • If this is a work/school account, don’t move the file to a personal account unless IT tells you to—just record details.
  4. Secure the account that owns the file.
    • Change the account password immediately (and any other accounts that reused it).
    • Turn on two-step verification (2SV) if it isn’t already.
    • Sign out of other devices/sessions from the account security page.
  5. Check for “silent access” routes that create links without you noticing.
    • Review “Connected apps / Third-party access” and remove anything you don’t fully trust.
    • Review your account’s device list and remove/sign out unfamiliar devices.
    • Check your email account for unexpected forwarding rules or mailbox rules (attackers use these to keep control).
  6. If it’s a work/school/organisation account: escalate quickly.
    • Contact your IT/helpdesk or the admin team and say: “A sharing link appeared in the audit/activity logs that I did not create.”
    • Ask them to check organisation audit logs and whether external sharing settings were changed.
  7. If the file contained sensitive personal data, assume it may have been accessed.
    • Make a short list (for yourself) of what was in the file (e.g., scans of ID, bank details, medical info).
    • If bank or card details were in it: contact your bank using a trusted number/app, ask for the fraud team, and monitor/lock cards and accounts as advised. Change any banking password you’re unsure about.
  8. If you think this is linked to fraud (or you’ve lost money): use the UK reporting route.
    • For England, Wales, and Northern Ireland, report cyber crime/fraud via Report Fraud (online).
    • In Scotland, report fraud/financial crime by calling 101.
    • If you’re in immediate danger, call 999.

What can wait

  • You do not need to decide right now whether you want a formal investigation—containment and account control come first.
  • You don’t need to contact everyone who might have received the link until you’ve confirmed whether anyone else actually has access now.
  • You don’t need to do a full device “clean install” immediately unless you see strong signs of malware—first secure the account and revoke access.
  • You can postpone reorganising cloud storage or changing providers; focus on containment and account control first.

Important reassurance

This is a common way people first notice account compromise (or an accidental share setting change). Acting quickly to revoke the link and lock down the account usually prevents further spread and buys you time to understand what happened.

Scope note

These are first steps to contain an unexpected sharing link and regain control. Later steps (incident reports, legal/regulatory duties, forensics) depend on whether this is personal use or an organisation account, and what data was involved.

Important note

This is general information, not legal, IT, or security professional advice. If you’re using an employer/school system, follow internal policies and involve your admin/IT team promptly.

Additional Resources
Support us