Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thousands of Organizations Are Exposing Sensitive Data Via Google Groups Lists, Researchers Find (krebsonsecurity.com)

Posted by msmash on from the privacy-woes dept.

Brian Krebs reports: Google is reminding organizations to review how much of their Google Groups mailing lists should be public and indexed by Google.com. The notice was prompted in part by a review that KrebsOnSecurity undertook with several researchers who've been busy cataloging thousands of companies that are using public Google Groups lists to manage customer support and in some cases sensitive internal communications. Google Groups is a service from Google that provides discussion groups for people sharing common interests. Because of the organic way Google Groups tend to grow as more people are added to projects -- and perhaps given the ability to create public accounts on otherwise private groups -- a number of organizations with household names are leaking sensitive data in their message lists. Many Google Groups leak emails that should probably not be public but are nevertheless searchable on Google, including personal information such as passwords and financial data, and in many cases comprehensive lists of company employee names, addresses and emails. Google has outlined instructions on how to secure the discussion boards.

11 of 20 comments (clear)

  1. nice by zlives · · Score: 1

    "Google has outlined instructions on how to secure the discussion boards" from google...

  2. G-Suite is lacking basic alias forwarding by mea_culpa · · Score: 1

    Every other email service provider offers a way to create alias accounts that forward to specific mailboxes suck as invoices, info, billing, etc. G-Suite doesn't offer this basic functionality. Users that want this have to create a group and it isn't exactly straight forward on how to do it.

    1. Re:G-Suite is lacking basic alias forwarding by Anonymous Coward · · Score: 1

      Ummm.... I have a dozen G-Suite domains... they all support simple alias accounts. You don't create an "alias account" and then point it to an account to forward to, you go into the account to forward to and create an alias for it. Aliases are free and work exactly how you're describing. You could even add filter rules for messages sent to the alias to also forward to many other accounts. You don't need a group.

    2. Re:G-Suite is lacking basic alias forwarding by asdfman2000 · · Score: 1

      Forwarding through a gmail account is very unfriendly from an IT admin side. It requires an authorization step on the recipient side, and is then managed outside of the GSuite Admin Interface.

      The default settings for google groups are either wide-open or overly locked down. Internally, we have a step-by-step guide we follow every time we create one to make sure we don't miss permissions and expose data publicly.

    3. Re:G-Suite is lacking basic alias forwarding by SantiagoMcRib · · Score: 1

      While it's true that G-Suite's current alias (nickname) feature is exactly what he's describing, what I think he means is that G-Suite does not have a simple method for creating either a distribution list or a shared mailbox.

      If I recall correctly, the Groups product was adapted to fill this hole in the Gmail functionality when Google Apps for Business was created. Unfortunately it was never really brought up to feature parity with what an exchange admin expects to be able to do.

    4. Re:G-Suite is lacking basic alias forwarding by zenbi · · Score: 1

      Having experience with the admin interfaces for both Google Apps for Business and for Microsoft's Outlook/Office accounts, I very much prefer the Google versions. The Google interface makes far more sense and is more responsive, while the Microsoft's is excruciatingly slow and looks like it was thrown together by a group of CS 101 students.

  3. Google UI is terrible by El_Muerte_TDS · · Score: 1

    Configuring settings for groups is horrible. There are a whole bunch of settings, which do not really align with google's recommendations. And there is also no option to check if any of the groups which exist are readable from the "internet". You have to check every single group, and then 4 different sections, etc.

  4. Re:I miss USENET by antdude · · Score: 1

    Um, usenet is still alive for some people. I'm on it right now!

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  5. Re:I miss USENET by jtgd · · Score: 1

    Those were the good ol' days. I liked groups like sci.crypt and comp.compression where smart guys hung out and some good information could be had. After usenet died they all went.... who knows where. Scattered to the four corners of the internet. Sure there might be web sites where the info can be found, but there's a lot to be said for having one place to go.

    --
    J
  6. Re:I miss USENET by pnutjam · · Score: 1

    dude, I know your old, but this is slashdot... you must be getting confused.
    ;)

    --
    Cheap storage VM.
  7. Re:I miss USENET by antdude · · Score: 1

    My old what, whippersnapper? :P

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).