13 thoughts on “Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services

  1. zuo

    what Google says is simply not true. Attacks started around early June. I write here as one of the victims from that time. Even more – have a buganizer ticket numer from June the 7th with initial findings. It was fixed about month later.

  2. Paul B

    I’ve had several bogus workplace trials started for my personal domains and had to dig to discover how to shut them down. The flaw is that no verification is required to sign up and start the trial. The trial will expire without control of the domain DNS entries but they should never allow it to even start if you can’t confirm via an in-domain email. This is kindergarten-level security but Google is more interested in making it easy to get hooked in. I have no idea what those first days of free trial allows them to do but it shouldn’t even be a question. I get a ‘thanks for signing up’ email that has no link to abort the fraudulent signup or to require a verification of any sort. Maybe that was pen testing that led to this breach or maybe it was amateurs hoping to cash in somehow. Google=evil.

    Krebs, please give them hell for this!

  3. David Keaton

    The problem started much earlier than advertised. Two separate bad actors created bogus Google Workspace (and its predecessor Google Apps) accounts for my domain in 2012 and again in July, 2023. The first time, I took over the account by proving I owned the domain, and then eventually shut the account down. The second time, I decided not to shut the account down after taking it over, to prevent a third time.

    The second time, Google had “improved” its security so that I had a devil of a time getting Google support to help me reclaim my domain in Google Workspace. You have to already be logged into the hacker’s account to get support, which means you have to hack the hacker before Google will provide support.

    In 2012, Google created a regular account (not just a trial) using my domain name for the first impostor without ever asking for domain verification. In 2023, the account they created for the second impostor was just a trial.

  4. Manuel

    Glad that I canceled Google Workplace a while ago and moved to Zoho.

  5. Not Thomas Mathew Crooks

    At first when I read this I thought it was about Thomas Matthew Crooks! I was confused…

  6. AMIT CHUGH

    Yes, it’s Kinder Garden stuff and not as much a security threat. Will stick around with google for now.

  7. AMIT CHUGH

    Yes, it’s a basic security threat and not as much a security threat. Will stick around with google for now.

  8. AMIT CHUGH

    Will stick around with google for now. This was detected much earlier and cyber experts have used it in past to bypass gmail security.

Comments are closed.