A small settings error in Google Groups has compromised confidential business emails and employee data of hundreds of companies. According to the researches at Redlock, hundreds of groups have publicly exposed emails containing sensitive information belonging to such companies.
The California based Security and Compliance Company said in its Blogpost that companies, including the likes of Fusion Media Group – the parent firm of a long list of companies including Gizmodo, The Onion, and Lifehacker – and also helpdesk support service provider Freshworks and video ad platform SpotX were affected by the security issue.
“Google Groups, a service that is a part of G Suite, allows organizations to create and participate in online forums and email-based groups. When configuring a Google Group, changing the sharing option for “Outside this domain - access to groups” enables you to make the messages public or private. Our Cloud Security Intelligence team discovered that many organizations have accidentally set this field to “Public on the internet”, exposing messages containing sensitive information such as PII (name, email, home address, etc),” said Redlock in its blog post.
Google Groups is a collaborative tool used by companies as a communications platform. Email based groups–the core of its activity– are used to maintain communication and control messages between teams. The trouble was that when such a group was created, the settings chosen by the companies was "public on the Internet" sharing setting. This let anybody with online access the emails and files uploaded on the group.
Google has updated users with a notification directing them to change the setting. To make sure, you are not affected, all you have to do is go to the settings and select “private” through the "Outside this domain -- access to groups" tab. This restricts the messages to the members belonging to the group.