Hackers found a way to create Google Workspace accounts without verifying their email addresses. They did this by using a special request that tricked the verification process. Once they had an account, they could log in to third-party services that use “Sign in with Google” for authentication.
Google’s engineers confirmed that hackers were already using this vulnerability in the wild, and that it happened at least two weeks before Google fixed the problem. The company added extra security measures and said that only a few thousand accounts were affected.
The issue was fixed within 72 hours of being discovered, but some people claimed they fell victim to the attack as early as June 2024, which means hackers might have been exploiting the flaw for two months before it was addressed.
Source: https://www.techradar.com/pro/security/hackers-bypass-google-workspace-authentication-to-expose-thousands-of-accounts