The company developed the scanner after examining the state of cloud deployments using the shodan.io search engine. This uses a very basic scan that provides the version number of the cloud software in use so that its security state can be ascertained.
After realising that many were lacking updates that rendered them vulnerable, Nextcloud decided to warn administrators of these instances.
The company said it did not feel comfortable noting that political parties, hospitals, universities, large corporations and governments were figuring in a list of insecure servers.
"They decided to reach out to users with a personal warning, including the results of the scan. We made sure the security scan would not expose any private data, using unique IDs instead of URLs to present them the results and we kept as quiet as possible on our communication channels about this matter," Nextcloud communications manager Jos Poortvliet said.
The results were good, with 5% upgrading within the first 10 days of being notified.
But even so, Poortvliet said, the company;s estimates were that there were at least 100,000 private cloud servers whose owners were unaware that they were sitting ducks for attacks.
As a result, the Nextcloud update tool was rewritten to make it easier to use from the command line in version 11. From version 12, apps would not be disabled during a security update making the process less intrusive.
"Our ultimate goal is to make updates so seamless they can be done fully automatic without any administrator involvement or downtime. At this moment, we have achieved this on the Nextcloud Box, using Canonical’s Snap technology which automates updates entirely," Poortvliet said.