Employees of Failed Startups Face Risks of Data Theft Through Old Google Logins

Introduction

Failed startups can leave employees exposed to a ton of data risks – stolen Social Security numbers, private messages, bank information, etc. according to Dylan Ayrey, a cybersecurity researcher and CEO of Truffle Security.

Ayrey revealed the vulnerability at ShmooCon, a security conference, after finding flaws in Google OAuth, the “Sign in with Google” feature. Malicious actors can exploit these flaws by buying domains of failed startups. With control of a domain, hackers can log into employee accounts across cloud-based platforms like Slack, ChatGPT, and HR systems using recreated email addresses.

How the Exploit Works

Hackers using defunct domains can log into cloud applications configured for company-wide access. Many apps provide directories or user profiles that allow further discovery of former employees’ data. By using the “Sign in with Google” option, attackers can log into additional SaaS services tied to the startup.

To prove the risk, Ayrey bought a defunct startup domain and was able to log into platforms with sensitive data including HR records with Social Security numbers. Google says Gmail accounts and Google Docs are not affected but employees using SaaS platforms are at risk.

Existing Safeguards and Limitations

Google’s OAuth has a “sub-identifier” to prevent this attack. This identifier is unique to each Google account and should prevent domain-based impersonation. But some SaaS providers don’t use it because of reported inconsistencies. Ayrey found one HR provider had a 0.04% sub-identifier mismatch rate which resulted to failed logins and operational issues. Google disputes this but has updated their documentation to encourage SaaS providers to use sub-identifiers.

Google’s Response and Next Steps

Google initially dismissed the vulnerability as a “fraud issue” then reopened Ayrey’s bug report and paid him a bounty. Google has not fixed the issue but updated their documentation on how to properly shut down Google Workspace and associated SaaS services.

Ayrey said startup founders are overwhelmed during closures and often miss securing their digital infrastructure leaving data exposed. He said “Shutting down a company is an emotionally taxing process, it’s easy to miss critical steps”.

Takeaway

The responsibility lies with both cloud service providers and company founders to mitigate the risk. Properly deactivating SaaS platforms and following Google’s recommendations can reduce the risk of data theft when a startup fails.