Google’s productivity suite, known as Workspace, is widely used by startups for email, documents, and other back-office matters. However, a security report suggests that many startups fail to properly close their accounts before letting their domains expire, leaving sensitive data exposed.
According to Dylan Ayrey, of Truffle Security Co., the failure rate of tech startups is high, with 90% failing within the first few years. This means there are often multiple Google-auth-connected domains up for sale at any given time. When these domains are bought by new owners, they can sometimes reactivate the original owner’s Google accounts, gaining access to sensitive information.
Ayrey bought a defunct startup domain and gained access to services like Slack, ChatGPT, and HR systems through the reactivated account sign-ins. He found valuable materials such as tax documents, job interview details, and direct messages.
Google has acknowledged the issue, stating that it’s a best practice for customers to properly close their domains after shutting down operations. The company recommends following instructions to prevent this type of problem. Google Workspace instructions note that canceling a “doesn’t remove user accounts,” leaving them active until the organization’s account is deleted. This means that even if a domain is sold, the original owner’s Google account may still be accessible.
The vulnerability affects domains that used Google Workspace accounts to authenticate with third-party services and failed to delete their Google account before selling the domain. While Ayrey’s methods couldn’t access data stored inside each reactivated Google account, they did reveal sensitive information on third-party platforms.
Source: https://arstechnica.com/security/2025/01/startup-necromancy-dead-google-apps-domains-can-be-compromised-by-new-owners