

Making matters worse, account owners are almost powerless. From there, the attacker can access and steal files, and even add malware or ransomware ( which is on the rise) to the victim's cloud folder, which can be used for further attacks. When the token is obtained, either through a phishing attack or a drive-by exploit, it can be used to fool a new machine into thinking the attacker is the account's owner.

The attack works by grabbing the password token, a small file that sits on a user's devices for convenience (which saves the user from entering their password each time). The report by Imperva, which has a research unit as well as having a commercial stake in the security space, said in some cases "recovery of the account from this type of compromise is not always feasible." This is not just an issue for consumers, but also businesses, which increasingly use cloud-based services to share sensitive customer and corporate data.
