Google Groups misconfiguration leads to sensitive data leaks

Get a copy of the upcoming book "Secure Operations Technology"

If your employees are using Google Groups to discuss issues and ideas, you might want to check whether the sharing setting for these groups is set to “Private”.

Google Groups data leak

According to RedLock researchers, many companies fail to do so, most probably by accident, and end up exposing messages containing sensitive information on the internet.

By searching for publicly exposed Google Groups within the top 1,000 most visited websites on Alexa, the researchers found hundreds of them, containing information such as PII, employee salary details, customer passwords, and so on.

Among the companies that were leaking information was Fusion Media Group (the parent company of Gizmodo, The Onion, and other online publications), IBM-owned The Weather Company (which operates Weather underground and weather.com), and cloud-based helpdesk support software provider Freshworks.

RedLock CEO Varun Badhwar told Steve Ragan that they’ve contacted or attempted to contact the companies in question to notify them of the problem. Apparently, some reacted quickly to secure the groups, while other are taking their sweet time or have ignored the communication.

The problem is (luckily!) easily solved, but situations such as these are too common, and sensitive data leakage due to configuration errors could lead to many problems for organizations and businesses.

In the last few weeks, there have been some high-profile instances of data-leaking Amazon S3 cloud-based repository as a result of misconfiguration: Dow Jones and Verizon customer data was made accessible to anyone who knew where to look.