We previously reported on a Dropbox Security Snafu (and their correction for it). Now we’re learning more about how it came about, and how it was discovered.

There are several ways users can inadvertently leak confidential files, but the one that is the real head-scratcher is a combination of a user entering the URL of a Dropbox or Box file-sharing link in their browser’s “search box” rather than the “URL box”, combined with Google AdWords campaigns by competitors who want their ads to appear with people “search” for Dropbox or Box (pretty standard stuff).

The sites running such a campaign then — completely innocently — see what users are searching for, and what they are “searching for” turns out to be fully-clickable URLs to files that often contain sensitive personal or company data.

If you think that’s too rare a scenario to worry about, think again:

In one short and entirely innocently designed ad campaign alone, we found that about 5 per cent of hits represented full links to shared files, half of which required no password to download. This amounted to over 300 documents from a small campaign, including several tax returns, a mortgage application, bank information and personal photos. In one case, corporate information including a business plan was uncovered.

That’s from Richard Anstey of Intralink, the people who stumbled on the issue.

Look at this to see (redacted) images of one person’s tax return, and another’s mortgage application. Identity theft, anyone?

Read more about how Intralink discovered all this, along with some good advice on protecting yourself.

TL;DR: sensitive file? Use a sharing application that offers a password or PIN option.