'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
us Technology & digital loss sharing link appeared • unknown sharing link • unauthorized share link • link created without me • file shared without permission • activity log shows sharing • drive activity log • onedrive activity log • dropbox shared link created • private file link leaked • unexpected public link • someone accessed my cloud files • account may be compromised • suspicious file sharing • external sharing turned on • “anyone with link” enabled • file permissions changed • unauthorized link sharing • cloud storage breach scare What to do if…
What to do if…
a sharing link to a private file appears in activity logs and you did not create it
Short answer
Assume your account or permissions were changed: revoke the link / stop sharing on that file immediately, then lock down the account (password + MFA + sign out of other sessions).
Do not do these things
- Don’t open the link to “see what it shows.” If you need it for IT/support, record the link text only—don’t visit it and don’t forward it.
- Don’t delete the file/account in panic (you may lose audit trails and recovery options).
- Don’t rely on a phone number or email shown in a suspicious message claiming to be support—use the provider’s official help paths.
- Don’t keep collaborating on the same file while you’re unsure who can access it (contain first).
What to do now
- Stop the sharing link from working (first priority).
- Open the file’s sharing/permissions.
- Remove/delete the unexpected link, and set access to Restricted / Specific people.
- If available, use Stop sharing for the item.
- Audit current access on the file.
- In “manage access,” check:
- Any new people you don’t recognize.
- Any public/“anyone with the link” setting.
- Any edit permissions you didn’t grant.
- Remove unknown people and reduce permissions to the minimum needed.
- In “manage access,” check:
- Preserve quick evidence (helps if you need IT/support or a report).
- Screenshot or note: file name/path, timestamp, link type (view/edit), and any device/session/IP info shown.
- If it’s a work/school account, keep these notes and move to step 6 quickly.
- Secure the account that owns the file.
- Change the password (and anywhere else you reused it).
- Turn on multi-factor authentication (MFA).
- Use the account security page to sign out of all other devices/sessions.
- Remove common “persistence” methods attackers use.
- Review connected apps / third-party access / OAuth and revoke anything unfamiliar.
- Review the account’s device list and remove/sign out unfamiliar devices.
- Check your email account settings for unexpected forwarding or rules (attackers use these to keep control and intercept resets).
- If this is a work/school/enterprise account: involve the right people immediately.
- Contact your IT/security team or admin: “An unrecognized sharing link was created for a private file per activity/audit logs.”
- Ask them to confirm whether external sharing settings, conditional access, or admin roles were changed.
- If sensitive personal info was in the file, assume exposure is possible.
- Write down what was in the file (SSN, ID scans, bank info, health info).
- If identity theft is a concern, use IdentityTheft.gov to create a recovery plan.
- If you want to report cyber-enabled fraud, use the FBI Internet Crime Complaint Center (IC3)—type ic3.gov directly into your browser (avoid lookalike sites and search ads).
- If anyone contacts you claiming to be “IC3/FBI support” and asks for fees or payment to “recover funds,” treat it as a scam.
What can wait
- You don’t need to decide immediately whether to notify every possible recipient until you confirm who actually has access now.
- You can postpone big cleanup (migrating cloud providers, reorganizing storage) until after you regain account control.
- You don’t need to wipe devices right away unless you have strong signs of malware; first revoke access and lock the account.
Important reassurance
Seeing an unexpected sharing link is alarming, but it’s also a clear, actionable signal: revoke the link, tighten permissions, and secure the account. Those steps often stop further access quickly and prevent the situation from spiraling.
Scope note
This guide covers immediate containment and account control. Next steps depend on what platform you use, whether it’s personal vs. enterprise, and what data may have been exposed.
Important note
This is general information, not legal advice or professional incident response. If this involves an employer/school system or regulated data, follow your organization’s incident procedures and involve your admin/security team promptly.
Additional Resources
- https://support.google.com/drive/answer/2494893?co=GENIE.Platform%3DDesktop&hl=en
- https://support.microsoft.com/en-us/office/manage-sharing-and-permissions-in-onedrive-and-sharepoint-0a36470f-d7fe-40a0-bd74-0ac6c1e13323
- https://www.cisa.gov/topics/cybersecurity-best-practices/multifactor-authentication
- https://www.identitytheft.gov/
- https://www.ic3.gov/CrimeInfo/AccountTakeover
- https://www.fbi.gov/investigate/cyber/alerts/2025/threat-actors-spoofing-the-fbi-ic3-website-for-possible-malicious-activity
- https://www.ic3.gov/PSA/2025/PSA250919