Back to blog

How Google Employee Helped to Steal Users Data


4 min read

2% of the free domains contain previous users’ personal data that can be easily stolen. Sounds crazy! Even if you don’t use your domain it can afflict damage to you and your business.

I would like to start this article with the world statistics provided by IBM Security. The average data breach costs $3.9M for the company. The average time to identify a breach — 196 days. The average time to contain a breach — 69 days. Just think of these huge numbers. Some companies are living their comfortable lives with holes in the security system.

Information becomes the most valuable treasure in the modern world. Companies all over the world spend millions of dollars to protect confidential records from the outsiders using the best practices of cybersecurity. But what if finding out all corporate secrets is simpler than you think.

G Suite is a great and well-known tool used by businesses and organizations across the world. Mostly every my company processes are there. I think that setting up of the G Suite account is the second common step after purchasing a domain. Google, as a leading company, works hard to protect G Suite from data breaches and hacker attacks. They use encryption for data security, machine learning to detect phishing attacks algorithms, build features to spot previously unseen attacks, etc. Google security team does everything to protect your company’s secrets. Yet even such structures as Google can have processual issues that cause data loss to the advantage of unauthorized users.

A potshot

Here is my real life story of how I managed to get one company’s G Suite account with all the private information without any tension. In 2017 I wanted to buy the domain for my corporate needs. At that time the other company used the domain I needed. A few months later, I checked the domain again, and it appeared to be available for sale. I bought it for 50$. Everything seemed to be simple at that moment. Yet I faced the first issue when I tried to add this domain name to my existing G Suite. I received an error message that this domain name has already been used as an alias or domain.

What the hell? I had my domain name, but I couldn’t add it to my G Suite account. Aiming to fix this issue I had to reach out a support manager from Google. He was so kind and helped me to get the access to the admin account of the previous G Suite. He suggested me to take the following steps:

As you can see from the email Google can’t delete the information:

“I understand that you also need to delete your G Suite account that was created by mistake. Unlikely as a G Suite support representative I am not allowed to delete your existing account due to privacy and security reasons.”

After I completed all the steps in the email I accessed the G Suite account. But I received a bonus: the access to all previous emails and accounts of the prior user. As an extra data, I got the administrative access to Twitter, PayPal, Apple developers account, and etc. This is crazy. I got full information about contacts, invoices, agreements, NDA, and negotiation emails. Google drive was full of data. For a few days, I was really shocked by the information I unexpectedly gained. Still, as far as I respect the privacy of the previous G Suite owner, I deleted the information which did not belong to me.

The second try

The second time I faced the same issue with the domain was a month ago. Again, the same scenario was applied: Buy the domain => Try to add to existing => Error => Contact support manager. This time I told the manager that I’d just bought the domain, and he sent me a form so that they can contest the ownership of that domain. Then the Google team canceled the existing account and this way I could add it as a secondary domain. This second time I got an empty account with no data in it.

The Experiment

Potentially it seems like Google has closed the security breach. But as a developer who gains advantage from the sci-tech approach, I decided to find out how many G Suite accounts are in danger of being stolen. I’ve performed the next steps:

  1. The first step — Google API research. I needed to find API that can help me to check if the account has G Suite. The main issue is that Google does not require authorization to get this information. (API)
  2. The second step — Get the list of free domain names. This one is a piece of cake. There is a list of domain name generator services which use the thesaurus, synonyms, antonyms, related words collocation to create the options for the domain names. These services automatically check the availability of the domain. Hence it took 10 min to generate a list of 3K IT-related domains (the keywords were ios, android, web dev, mobile development, and IT development).
  3. The third step — Write the Python script to check if free domains are connected to G Suite (link to the script).
  4. The fourth step — Run the script.

The result was impressive — 1.87% (56 domains out of 3,000) were connected G Suite. This research did not aim any target market, and I did not pick the domains which were definitely in use. Just think of it, every 2 available domains out of 100 have confidential information at their G Suits that can be stolen and potentially used by anyone.

Looking back on this background I decided to put a few notes to share with you:

  1. Pay for your domains in time, since you can lose it with all the data you have.
  2. If you decide to stop your business, clean up all your data from the G Suite.
  3. Change the email connected with your other applications and tools before you kill the email from your G Suite or close these accounts.

Remember that you are responsible for the protection of your data assets. We wish your business information were safe and secure and all that data breaches were just bad dreams. Always challenge security standards of the services you use for your business, even they are enterprise-level monsters like Google. We can trust no one with the security of our information.

Useful links:

Share article

Table of contents