WeTransfer security failure results in file transfer emails being sent to the wrong people

WeTransfer security failure results in file transfer emails being sent to the wrong people

WeTransfer, the popular online service for sharing large files easily without having to worry about gobbling up email inbox quotas, has suffered what the company is calling a “security incident.”

According to an advisory emailed to affected users, and confirmed on the WeTransfer website, the service sent emails containing file transfer links to unintended email addresses on June 16 and 17.

As a consequence, unauthorised parties could have accessed private files you were attempting to transfer to a trusted party.

Sign up to our free newsletter.
Security news, advice, and tips.
WeTransfer notified users via email.
WeTransfer notified users via email.

The statement on WeTransfer’s website read as follows:

We discovered a security incident on Monday, June 17th, where e-mails supporting our services were sent to unintended e-mail addresses. We are currently informing potentially affected users and have informed the relevant authorities.

This incident took place on June 16th and 17th, and upon discovery, we immediately took precautionary security measures to protect our users. This means that users might have been logged out of their account or asked to reset their password in order to safeguard their account. Additionally, we have blocked Transfer links to ensure the security of our users’ Transfers.

Wetransfer email 1

Unfortunately, WeTransfer’s brief statement leaves plenty of questions hanging in the air:

  • How many users were affected? How many email transfer links were sent to unauthorised parties?
  • How many email addresses were the errant file transfer link messages sent to?
  • Were the unauthorised email recipients seemingly random? Other users of WeTransfer? Or was it just a small number of email addresses that received all the messages?
  • Was this a screw-up or the result of a malicious act?
  • If it is believed it was malicious – have the authorities been informed?
  • What steps have been taken to prevent a similar incident occurring again in the future?
  • WeTransfer claims to be GDPR-compliant, and is based in the EU. Considering the potential sensitive nature of information that might have been being transferred, has the security breach been reported to data protection regulators?

The free version of WeTransfer does not give you the option of password-protecting the download links it sends when you try to share a file with a friend or colleague.

My advice would be to always encrypt sensitive information with a hard-to-crack, unique password before entrusting it to a cloud-based file-sharing service like WeTransfer. And then, of course, use a different medium than email to get that password to the intended recipient.

At least that way you know that you’ve made it considerably less likely that an unauthorised party will be able to snoop through your information if the file-sharing service suffers a security snafu.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.