A recent vulnerability discovered by security researcher Dylan Ayrey has left thousands of former employees and millions of software accounts at risk of data theft. The flaw, found in Google’s OAuth system, allows malicious hackers to log in to cloud software using defunct domain names and employee emails.
Ayrey, founder of Truffle Security, created the popular open-source project TruffleHog, which helps detect data leaks. He recently revealed a vulnerability with Google OAuth, the technology behind “Sign in with Google,” during a talk at ShmooCon.
The flaw allows hackers to access cloud software by exploiting defunct domain names and employee emails. This can lead to sensitive information such as Social Security numbers and bank accounts being compromised. Ayrey estimates that tens of thousands of former employees are at risk, as well as millions of SaaS software accounts.
Google has acknowledged the issue and is working on a fix. However, some companies have expressed concerns about implementing the sub-identifier, which Google claims to be reliable, due to its high failure rate in certain cases.
The incident highlights the need for former startups to properly shut down their cloud services when closing operations. Ayrey understands that this can be a complex and emotionally challenging process, but emphasizes the importance of taking steps to prevent data breaches.
Source: https://techcrunch.com/2025/01/19/employees-of-failed-startups-are-at-special-risk-of-stolen-personal-data-through-old-google-logins