Are Your Google Groups Leaking Data?

Google is reminding organizations to review how much of their Google Groups mailing lists should be public and indexed by Google.com. The notice was prompted in part by a review that KrebsOnSecurity undertook with several researchers who’ve been busy cataloging thousands of companies that are using public Google Groups lists to manage customer support and in some cases sensitive internal communications.

Google Groups is a service from Google that provides discussion groups for people sharing common interests. Because of the organic way Google Groups tend to grow as more people are added to projects — and perhaps given the ability to create public accounts on otherwise private groups — a number of organizations with household names are leaking sensitive data in their message lists.

Many Google Groups leak emails that should probably not be public but are nevertheless searchable on Google, including personal information such as passwords and financial data, and in many cases comprehensive lists of company employee names, addresses and emails.

By default, Google Groups are set to private. But Google acknowledges that there have been “a small number of instances where customers have accidentally shared sensitive information as a result of misconfigured Google Groups privacy settings.”

In early May, KrebsOnSecurity heard from two researchers at Kenna Security who started combing through Google Groups for sensitive data. They found thousands of organizations that seem to be inadvertently leaking internal or customer information.

The researchers say they discovered more than 9,600 organizations with public Google Groups settings, and estimate that about one-third of those organizations are currently leaking some form of sensitive email. Those affected include Fortune 500 companies, hospitals, universities and colleges, newspapers and television stations and U.S. government agencies.

In most cases, to find sensitive messages it’s enough to load the company’s public Google Groups page and start typing in key search terms, such as “password,” “account,” “hr,” “accounting,” “username” and “http:”.

Many organizations seem to have used Google Groups to index customer support emails, which can contain all kinds of personal information — particularly in cases where one employee is emailing another.

Here are just a few of their more eyebrow-raising finds:

  • Re: Document(s) for Review for Customer [REDACTED]. Group: Accounts Payable
  • Re: URGENT: Past Due Invoice. Group: Accounts Payable
  • Fw: Password Recovery. Group: Support
  • GitHub credentials. Group: [REDACTED]
  • Sandbox: Finish resetting your Salesforce password.
  • Group: [REDACTED]
  • RE: [REDACTED] Suspension Documents.
  • Group: Risk and Fraud Management

Apart from exposing personal and financial data, misconfigured Google Groups accounts sometimes publicly index a tremendous amount of information about the organization itself, including links to employee manuals, staffing schedules, reports about outages and application bugs, as well as other internal resources.

This information could be a potential gold mine for hackers seeking to conduct so-called “spearphishing” attacks that single out specific employees at a targeted organization. Such information also would be useful for criminals who specialize in “business email compromise” (BEC) or “CEO fraud” schemes, in which thieves spoof emails from top executives to folks in finance asking for large sums of money to be wired to a third-party account in another country.

“The possible implications include spearphishing, account takeover, and a wide variety of case-specific fraud and abuse,” the Kenna Security team wrote.

In its own blog post on the topic, Google said organizations using Google Groups should carefully consider whether to change the access to groups from “private” to “public” on the Internet. The company stresses that public groups have the marker “shared publicly” right at the top, next to the group name.

“If you give your users the ability to create public groups, you can always change the domain-level setting back to private,” Google said. “This will prevent anyone outside of your company from accessing any of your groups, including any groups previously set to public by your users.”

If your organization is using Google Groups mailing lists, please take a moment to read Google’s blog post about how to check for oversharing.

Also, unless you require some groups to be available to external users, it might be a good idea to turn your domain-level Google Group settings to default “private,” Kenna Security advises.

“This will prevent new groups from being shared to anonymous users,” the researchers wrote. “Secondly, check the settings of individual groups to ensure that they’re configured as expected. To determine if external parties have accessed information, Google Groups provides a feature that counts the number of ‘views’ for a specific thread. In almost all sampled cases, this count is currently at zero for affected organizations, indicating that neither malicious nor regular users are utilizing the interface.”

Google is reminding organizations to review how much of their Google Groups mailing lists should be public and indexed by Google.com. The notice was prompted in part by a review that KrebsOnSecurity undertook with several researchers who’ve been busy cataloging thousands of companies that are using public Google Groups lists to manage customer support and in some cases sensitive internal communications.