Hundreds of companies expose PII, private emails through Google Groups error

Oversight, not flaws, has led to some serious data exposure for firms including IBM's Weather Company and SpotX.
Written by Charlie Osborne, Contributing Writer
Christopher Schirner

A small settings error has resulted in the exposure of confidential business emails and employee data, researchers have warned.

On Monday, RedLock revealed in a blog post that companies including IBM's Weather Company, Fusion Media Group -- the parent firm of companies including Gizmodo, The Onion, and Lifehacker -- as well as helpdesk support service provider Freshworks and video ad platform SpotX were affected by the security issue.

According to the team, "hundreds" of Google Groups have publicly exposed messages containing sensitive information belonging to such companies, all because of a customer-controlled configuration error in the service.

Google Groups is used by companies as a collaborative tool and communication platform. Email-based groups are used to maintain communication and control messages between teams, but when these groups are created with the "public on the Internet" sharing setting rather than "private" through the "Outside this domain -- access to groups" tab, messages sent between members can be viewed publicly without the requirement of being a member of the group.


RedLock researchers found that email addresses, email content, personally identifiable information (PII) including employee salary compensation, sales pipeline data, customer passwords, names, and home addresses at hundreds of companies were left online for the world to see.

Screenshot images viewed by ZDNet verified the exposure of information belonging to Fusion Media Group and SpotX which included email messages, contact details, and personal discussions between executives and staff.

While not a security vulnerability in itself and rather a feature of Google Groups which can prove useful to some, this incident shows that a simple oversight of one setting can potentially have devastating effects for businesses.

Should this corporate information be utilized, corporate accounts could be hijacked, information can be mined for phishing attacks, and sensitive conversations not suitable for the public sphere may be leaked.

To prevent such a mass exposure of private corporate data once again being left for anyone on the Internet to see, RedLock recommends that companies immediately check their Google Groups settings to make sure the setting "Outside this domain -- access to groups" is switched to "private."

"Simple misconfiguration errors -- whether in SaaS applications or cloud infrastructure -- can have potentially devastating effects," said Varun Badhwar, CEO, and co-founder of RedLock. "Recent data leaks at companies such as Deep Root Analytics, WWE, and Booz Allen Hamilton have demonstrated the impact these simple errors can have."

"In today's environment, it's imperative that every organization take steps to educate employees on security best practices and leverage tools that can automate the process of securing applications, workloads and other systems," Badhwar added.

Speaking to ZDNet, a SpotX spokesperson said:

"Our team has completed a very thorough audit of all of our Google Groups to ensure that our communications are tightly secure and we can confirm that all information that is not intended for public is indeed secured.
In addition, we have updated our group creation requirements. We place the utmost importance on client, partner and employee data, and our team works hard to ensure all data is secure. We will continue to do so."

See also: Tor network will pay you to hack it through new bug bounty program

Earlier this month, extramarital affairs website Ashley Madison offered users caught up in a data breach $11 million in compensation. However, holders of the estimated 36 million accounts involved in the data leak will have to prove they owned their accounts and have experienced losses because of the incident.

How to lock up your digital life and privacy in an hour (in pictures)

Editorial standards