June 1, 2018

Google is reminding organizations to review how much of their Google Groups mailing lists should be public and indexed by Google.com. The notice was prompted in part by a review that KrebsOnSecurity undertook with several researchers who’ve been busy cataloging thousands of companies that are using public Google Groups lists to manage customer support and in some cases sensitive internal communications.

Google Groups is a service from Google that provides discussion groups for people sharing common interests. Because of the organic way Google Groups tend to grow as more people are added to projects — and perhaps given the ability to create public accounts on otherwise private groups — a number of organizations with household names are leaking sensitive data in their message lists.

Many Google Groups leak emails that should probably not be public but are nevertheless searchable on Google, including personal information such as passwords and financial data, and in many cases comprehensive lists of company employee names, addresses and emails.

By default, Google Groups are set to private. But Google acknowledges that there have been “a small number of instances where customers have accidentally shared sensitive information as a result of misconfigured Google Groups privacy settings.”

In early May, KrebsOnSecurity heard from two researchers at Kenna Security who started combing through Google Groups for sensitive data. They found thousands of organizations that seem to be inadvertently leaking internal or customer information.

The researchers say they discovered more than 9,600 organizations with public Google Groups settings, and estimate that about one-third of those organizations are currently leaking some form of sensitive email. Those affected include Fortune 500 companies, hospitals, universities and colleges, newspapers and television stations and U.S. government agencies.

In most cases, to find sensitive messages it’s enough to load the company’s public Google Groups page and start typing in key search terms, such as “password,” “account,” “hr,” “accounting,” “username” and “http:”.

Many organizations seem to have used Google Groups to index customer support emails, which can contain all kinds of personal information — particularly in cases where one employee is emailing another.

Here are just a few of their more eyebrow-raising finds:

• Re: Document(s) for Review for Customer [REDACTED]. Group: Accounts Payable
• Re: URGENT: Past Due Invoice. Group: Accounts Payable
• Fw: Password Recovery. Group: Support
• GitHub credentials. Group: [REDACTED]
• Sandbox: Finish resetting your Salesforce password. Group: [REDACTED]
• RE: [REDACTED] Suspension Documents. Group: Risk and Fraud Management

Apart from exposing personal and financial data, misconfigured Google Groups accounts sometimes publicly index a tremendous amount of information about the organization itself, including links to employee manuals, staffing schedules, reports about outages and application bugs, as well as other internal resources.

This information could be a potential gold mine for hackers seeking to conduct so-called “spearphishing” attacks that single out specific employees at a targeted organization. Such information also would be useful for criminals who specialize in “business email compromise” (BEC) or “CEO fraud” schemes, in which thieves spoof emails from top executives to folks in finance asking for large sums of money to be wired to a third-party account in another country.

“The possible implications include spearphishing, account takeover, and a wide variety of case-specific fraud and abuse,” the Kenna Security team wrote.

In its own blog post on the topic, Google said organizations using Google Groups should carefully consider whether to change the access to groups from “private” to “public” on the Internet. The company stresses that public groups have the marker “shared publicly” right at the top, next to the group name.

“If you give your users the ability to create public groups, you can always change the domain-level setting back to private,” Google said. “This will prevent anyone outside of your company from accessing any of your groups, including any groups previously set to public by your users.”

If your organization is using Google Groups mailing lists, please take a moment to read Google’s blog post about how to check for oversharing.

Also, unless you require some groups to be available to external users, it might be a good idea to turn your domain-level Google Group settings to default “private,” Kenna Security advises.

“This will prevent new groups from being shared to anonymous users,” the researchers wrote. “Secondly, check the settings of individual groups to ensure that they’re configured as expected. To determine if external parties have accessed information, Google Groups provides a feature that counts the number of ‘views’ for a specific thread. In almost all sampled cases, this count is currently at zero for affected organizations, indicating that neither malicious nor regular users are utilizing the interface.”

21 thoughts on “Are Your Google Groups Leaking Data?

  1. Cmon

    Cmon guys dont be so naive !
    Just look who own google.
    No questions about it even if you clever u can connect the dots.

    1. MFMF

      Who in your opinion “owns google” exactly? Can you explain?

      1. Quid

        It should be as simple as A, B, C.

        Or perhaps he is implying that one of the cofounders, being of Russian origin, is “colluding” with his mother land.

      2. Offcourse

        Who owns google?? Why you ask this? We all should know who run the show! Nothing just happening just coz it happening…everything has the reason.
        Usa will be soon like old soviet union 🙂 100% guranteed those who undestood this…well they cant do nothing about.

        1. Jayfar

          Alphabet and Google is owned by its stockholders last I checked.

        2. Probably_Not

          Ah, love my conspiracy theorists. USA, and probably no country, could ever be as bad off as the old Soviet Union- think of Mexico but without it’s access to US jobs and $$$

  2. bobl

    Not being familiar with Google Groups, do you pay for this ‘tool’? If so, then you should be able to expect privacy of your information and you should be able to easily adjust your settings to suit your needs..

    If this is a free service, then ‘you are the product’.

    1. Tacitus

      The article is talking about Google Groups that have been set up as part of Googles *paid* G Suite offering, which is essentially a whole bunch of Google services, including Gmail, that is administered by the company under their own specific domain.

      Google provides the services, but it’s up to the administrators of the company using it to ensure the scope of their message boards is set correctly. Google is not at fault if a client mistakenly makes their Google Groups message boards public.

      And no, since this is a paid service, Google does not harvest the data for its own purposes (other than to support the services they offer as part of the deal), but I guess some people’s paranoia might might them think otherwise.

      1. Hayden Tennent

        Google Groups is an “additional service’ and is not covered by a G Suite agreement.

  3. Reader

    Celebrities over-share their thoughts online.
    Ordinary people over-share their photos online.

    Companies sharing too much online is just an inevitable part of the trend.


  4. The Sunshine State

    Spammers use “Google Groups” enough said here!

  5. Zach

    I wish Google will one day change the way mailing lists are handled altogether. Setting up mailing lists in Google Groups is such an odd way to do it. I’ve been complaining about it to them for years because it is too easy for something like this to happen.

    Mailing lists (especially internal ones) should never be set up in something like Google Groups. Not to mention Google Groups hasn’t really had a mass overhaul like lots of their other products in quite a while.

  6. SkunkWerks

    Cue the legions of “professionals” using Yahoo Groups to handle legitimate business.

  7. hotmail.com

    Not being familiar with Google Groups, do you pay for this ‘tool’? If so, then you should be able to expect privacy of your information and you should be able to easily adjust your settings to suit your needs..A greeting!!

  8. hotmail

    I want to update my hotmail account but am very fearful to do it. I have Windows Vista on my computer because I have DOS database program that can only run on Vista or earlier versions. It looks like I would have to update to Windows 8 to be able to update the hotmail account (or convert to outlook). Can I update the hotmail and still keep the Windows Vista (which I must keep for my work)?

Comments are closed.