Google Group data exposure due to misconfiguration at Weather Company and SpotX

Last week, RedLock identified that many companies running Google Workspace including Weather Company, Fusion Media Group, The Onion, Freshworks, and SpotX were affected by a security issue caused by a misconfiguration of Google Groups.

In the report, RedLock indicated that “hundreds” of Google Groups have publicly exposed messages containing personally identifiable information (PII) including employee salary compensation, sales pipeline data, customer passwords, names, and home addresses. This exposure was caused due to Google Groups Sharing Options being set to “Public on the Internet” instead of “Private“.

Although this isn’t a security issue itself it does show that a simple oversight can be potentially devastating for businesses. It is recommended that be default all Google Groups should be configured as “Private”, for further instructions see the following support articles from Google.