Hundreds of companies are inadvertently sharing private information via Google Groups, including everything from employee salary compensation to customer passwords. And it’s all thanks to the click of one little button.
An audit from the security intelligence group RedLock found personally identifiable information in publicly accessible messages in the Google Groups for companies including IBM’s The Weather Company, Fusion Media Group, the cloud-based help desk software Freshworks, and video ad platform SpotX.
Among the info discovered: sales pipeline data, names, email addresses, home addresses, compensation, and passwords.
Google Groups is a convenient way for companies to sort and manage internal communications. A company can have several groups under its umbrella, which allow employees to participate in group discussions that are relevant to them.
Often, companies will access Google Groups through G Suite – a subscription service of Google Cloud products that includes personalized email addresses, Google Docs, and file storage.
However, RedLock discovered that at hundreds of companies, some of these private conversations were publicly accessible. And it all came down to someone clicking the wrong button under Advanced Settings.
“The companies affected by this issue mistakenly chose the ‘public on the internet’ sharing setting, making all information contained in the messages accessible by anyone on the web,” according to RedLock.
Luckily, the fix is simple: Just go into settings for “Outside this domain – access to groups” and set it to private.
Update: In an email to Business Insider, SpotX said that it has resolved the aformentioned concerns.
“Our team has completed a very thorough audit of all of our Google Groups to ensure that our communications are tightly secure. We can confirm that all information that is not intended for public use has been locked down to our internal team. In addition, we have updated our group creation requirements. We place the utmost importance on client, partner and employee data, and our team works hard to ensure all data is secure. We will continue to do so.”