Failed Startups Put Employees’ Personal Data at Risk Through Old Google Logins

datapersonal data

Losing a job when a startup collapses is tough enough, but a newly uncovered vulnerability adds another layer of concern. Employees at failed startups may face a heightened risk of having their personal data stolen, from private messages on Slack to Social Security numbers and bank account details.

The Problem: Old Google Logins and Defunct Domains

Dylan Ayrey, co-founder and CEO of Truffle Security, discovered a flaw related to Google OAuth, the technology behind “Sign in with Google.” His findings, presented at the ShmooCon security conference, reveal how hackers could exploit old domains from defunct startups to access sensitive data.

Here’s how it works:

  • Hackers purchase the expired domain of a failed startup.
  • With the domain, they can recreate email addresses previously used by the startup’s employees.
  • Using the “Sign in with Google” option, hackers can access cloud-based software tied to the company, such as Slack, ChatGPT, Zoom, or HR systems.
  • From these platforms, they can uncover employee information and potentially sensitive data like Social Security numbers or banking details stored in HR systems.

Ayrey tested the vulnerability by purchasing a defunct startup’s domain, successfully gaining access to multiple cloud platforms. He identified HR systems as the greatest risk, given the valuable personal information they often store.

Why Startups Are Particularly Vulnerable

Startups are frequent users of Google Workspace and cloud-based tools, making them prime targets for this type of exploit. Ayrey estimates that tens of thousands of former employees and millions of SaaS accounts could be at risk. His research identified 116,000 domains from failed tech startups currently available for purchase.

A Flawed Fix: Google’s Sub-Identifier

Google offers a solution within its OAuth configuration called a “sub-identifier.” This unique numeric code, tied to a Google account, should prevent hackers from using recreated email addresses to access cloud services. However, implementation challenges have limited its effectiveness:

  • An affected SaaS HR provider found that sub-identifiers changed in 0.04% of cases, creating login issues for legitimate users.
  • As a result, some providers opt not to use this feature.

Google disputes claims that sub-identifiers can change and has not addressed this issue in a technical fix, instead urging cloud providers to implement the sub-identifier.

Google’s Response

Initially, Google dismissed Ayrey’s findings, categorizing them as a “fraud” issue rather than a technical flaw. However, three months later, after Ayrey’s ShmooCon talk was accepted, Google reopened the case, awarded Ayrey a $1,337 bounty, and updated its documentation to emphasize the importance of using the sub-identifier.

Google has also provided guidance for founders on properly shutting down Google Workspace accounts to prevent such vulnerabilities. However, the company has yet to issue a broader technical solution or timeline for addressing the problem.

Prevention: A Shared Responsibility

While Google’s tools function as intended, the issue highlights a gap in how companies wind down operations. Founders often overlook the need to properly close cloud services during the emotionally and logistically challenging process of shutting down a business.

“When the founder has to deal with shutting the company down, they’re probably not in a great headspace to think about all the things they need to be doing,” Ayrey said.

What Employees Can Do

For individuals, there’s little they can do to address vulnerabilities caused by their former employers. However, staying vigilant about suspicious activity and securing personal accounts with strong, unique passwords and two-factor authentication can provide some level of protection.

As startups continue to leverage cloud services, the risk of data exposure during shutdowns remains a pressing concern. Companies, cloud providers, and employees alike must prioritize security to mitigate potential threats.

Source

Control F5 Team
Blog Editor
Relational Services
Web Applications
Dev Ops
Mobile Applications
MVP Development
Software Testing
UI / UX Design
OUR WORK
Case studies

We have helped 20+ companies in industries like Finance, Transportation, Health, Tourism, Events, Education, Sports.

 
AI Powered News Portal and Aggregation App
Web & Mobile Application Journalism
AI Powered News Portal and Aggregation App
Case Study
Data Computing Visualization Platform for Ernst & Young
Web Platform Financial
Data Computing Visualization Platform for Ernst & Young
Case Study
Suite of Applications for Fintech Trading Company
Suite of Applications Financial
Suite of Applications for Fintech Trading Company
Case Study
Reservation Platform For Travel Agency
Web Platform Travel
Reservation Platform For Travel Agency
Case Study
Online Road Tax Payment Platform
Web & Mobile Application Transportation
Online Road Tax Payment Platform
Case Study
Team Augmentation and Consultancy for A SaaS Company
Team Augmentation Hospitality
Team Augmentation and Consultancy for A SaaS Company
Case Study
Wedding Photographers And Videographers Marketplace
Marketplace Events
Wedding Photographers And Videographers Marketplace
Case Study
Portal & Online Magazine for Brides
Online Magazine Events
Portal & Online Magazine for Brides
Case Study
Custom eCommerce Solution for Cosmetics Company
Online Shop eCommerce
Custom eCommerce Solution for Cosmetics Company
Case Study
Web Application for Comparing Tariff Plans and Phone Offers
Web Application Telecom
Web Application for Comparing Tariff Plans and Phone Offers
Case Study
Dental Clinics Marketplace
Marketplace Health
Dental Clinics Marketplace
Case Study
Micro-services Solution for Hotel Reservation Agency for Realtime Pricing Update
Backend System Travel
Micro-services Solution for Hotel Reservation Agency for Realtime Pricing Update
Case Study
 
View all case studies
READY TO DO THIS
Let’s build something together
Contact us