Hundreds of companies are inadvertently sharing private information via Google Groups, including everything from employee salary compensation to customer passwords. And it’s all thanks to the click of one little button.
An audit from the security intelligence group RedLock found personally identifiable information in publicly accessible messages in the Google Groups for companies including IBM’s The Weather Company, Fusion Media Group, the cloud-based help desk software Freshworks, and video ad platform SpotX.
Among the info discovered: sales pipeline data, names, email addresses, home addresses, compensation, and passwords.
Google Groups is a convenient way for companies to sort and manage internal communications. A company can have several groups under its umbrella, which allow employees to participate in group discussions that are relevant to them.
Often, companies will access Google Groups through G Suite — a subscription service of Google Cloud products that includes personalised email addresses, Google Docs, and file storage.
However, RedLock discovered that at hundreds of companies, some of these private conversations were publicly accessible. And it all came down to someone clicking the wrong button under Advanced Settings.
“The companies affected by this issue mistakenly chose the ‘public on the internet’ sharing setting, making all information contained in the messages accessible by anyone on the web,” according to RedLock.
Luckily, the fix is simple: Just go into settings for “Outside this domain – access to groups” and set it to private.