TL;DR
- Nextcloud has addressed a significant data leak concern following updates that raised alarms within its community.
- The issue was identified after users reported unusual activity linked to a recent software upgrade.
- Nextcloud confirmed that no personal data was collected without user consent, and the potential leak stemmed from a logic issue in their system.
- Future updates will include changes to default settings to enhance user privacy and prevent similar issues.
Introduction
Nextcloud, the open-source cloud software provider, has swiftly mitigated user concerns regarding a recent data leak scare. Following an upgrade to version 31.0.0, reports emerged from the community about unexpected data collection activities. The company promptly issued fixes to clarify that no user data has been mishandled, responding effectively to the outcry for transparency and better data protection mechanisms.
What Happened?
Concerns arose when a user on Mastodon, identified as “Niels,” noticed peculiar entries in their Nextcloud server logs shortly after upgrading. They observed that the system appeared to be actively enumerating all local users without explicit consent. This revelation raised alarms, leading to an investigation by Dutch researcher Tobias Fiebig and discussions with Nextcloud’s director of engineering, Andy Scherzinger.
Through this dialogue, they identified that a modification made in a prior February release altered the default settings, which inadvertently caused the Nextcloud server to make excessive requests to its lookup server. According to Scherzinger, this “logic issue” resulted in unnecessary communications without improper data collection gaining traction.
Confirmation and Clarification
Despite initial fears, Nextcloud asserted that they do not store user data devoid of user consent. Scherzinger confirmed via social media discussions that the changes in data requests were the result of internal configuration issues rather than a breach of user privacy. He explained:
“It would trigger a ‘data has changed,’ resulting in the Nextcloud server contacting the lookup server. It would send a request for all users who had any of their data ever set to ‘published.'”
This excessive data traffic was not indicative of a leak but rather operational miscommunication within the Nextcloud ecosystem.
Next Steps and Community Feedback
As a precautionary measure, the Nextcloud team temporarily disabled the lookup server functionality for all users while investigating the issue further. This decision was made to prevent any worries and excessive logging during the troubleshooting phase.
In light of the incident, a key initiative from the community has emerged: users are advocating for data sharing settings to be off by default in future releases. In response, Nextcloud’s upcoming updates will integrate these suggestions, introducing warning popups for administrators and adjusting the federated file sharing preference to enhance user consent and awareness.
Conclusion
Nextcloud’s proactive measures in addressing the data leak concerns solidify its commitment to user privacy and transparency. By swiftly investigating and resolving the situation while adapting its software to prioritize user consent, Nextcloud reaffirms its role as a leading open-source data management solution. As privacy remains a critical issue in digital spaces, remaining agile and responsive will be crucial for Nextcloud’s ongoing success and user trust in future updates.
References
[^1]: Connor Jones (2025). “Nextcloud puts out fire after data leak panic“. The Register. Retrieved March 13, 2025.
[^2]: “Nextcloud puts out fire after data leak panic” (2025). “Nextcloud discussions“. The Register Forums. Retrieved March 13, 2025.
[^3]: “Bug: Severe data leak due to updated interaction/unexpected behavior in federation sharing feature · Issue #51335 · nextcloud/server” (2025). “GitHub Issue Tracking“. Retrieved March 13, 2025.
[^4]: “Possible data leak?” (2025). “Nextcloud Community“. Retrieved March 13, 2025.
