Privacy News Are Your Google Groups Leaking Data?

[LASER_oneXM]

Content source

https://krebsonsecurity.com/2018/06/is-your-google-groups-leaking-data/

Google is reminding organizations to review how much of their Google Groups mailing lists should be public and indexed by Google.com. The notice was prompted in part by a review that KrebsOnSecurity undertook with several researchers who’ve been busy cataloging thousands of companies that are using public Google Groups lists to manage customer support and in some cases sensitive internal communications.
...
... ...
...
Many Google Groups leak emails that should probably not be public but are nevertheless searchable on Google, including personal information such as passwords and financial data, and in many cases comprehensive lists of company employee names, addresses and emails.

By default, Google Groups are set to private. But Google acknowledges that there have been “a small number of instances where customers have accidentally shared sensitive information as a result of misconfigured Google Groups privacy settings.”

In early May, KrebsOnSecurity heard from two researchers at Kenna Security who started combing through Google Groups for sensitive data. They found thousands of organizations that seem to be inadvertently leaking internal or customer information.

The researchers say they discovered more than 9,600 organizations with public Google Groups settings, and estimate that about one-third of those organizations are currently leaking some form of sensitive email. Those affected include Fortune 500 companies, hospitals, universities and colleges, newspapers and television stations and U.S. government agencies.

This information could be a potential gold mine for hackers seeking to conduct so-called “spearphishing” attacks that single out specific employees at a targeted organization. Such information also would be useful for criminals who specialize in “business email compromise” (BEC) or “CEO fraud” schemes, in which thieves spoof emails from top executives to folks in finance asking for large sums of money to be wired to a third-party account in another country.

“The possible implications include spearphishing, account takeover, and a wide variety of case-specific fraud and abuse,” the Kenna Security team wrote.