Close Menu
TechBrunchTechBrunch
  • Home
  • AI
  • Apps
  • Crypto
  • Security
  • Startups
  • TechCrunch
  • Venture

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

What's Hot

Klarna CEO and Sutter Hill wins lap after Jony Ive's Openai deal

May 22, 2025

Bluesky begins to check for “notable” users

May 22, 2025

Microsoft says Lumma Password Stealer Malware found on 394,000 Windows PCs

May 22, 2025
Facebook X (Twitter) Instagram
TechBrunchTechBrunch
  • Home
  • AI

    OpenAI seeks to extend human lifespans with the help of longevity startups

    January 17, 2025

    Farewell to the $200 million woolly mammoth and TikTok

    January 17, 2025

    Nord Security founder launches Nexos.ai to help enterprises move AI projects from pilot to production

    January 17, 2025

    Data proves it remains difficult for startups to raise capital, even though VCs invested $75 billion in the fourth quarter

    January 16, 2025

    Apple suspends AI notification summaries for news after generating false alerts

    January 16, 2025
  • Apps

    Bluesky begins to check for “notable” users

    May 22, 2025

    Mozilla shuts down its Read-It-Later app pocket

    May 22, 2025

    Opening a Social Web Browser Surf makes it easy for anyone to create custom feeds

    May 22, 2025

    Anthropic's new Claude4 AI model can be inferred in many steps

    May 22, 2025

    Strava buys athletic training app – First Runna, and now Breakaway

    May 22, 2025
  • Crypto

    Starting from up to $900 from Ticep, 90% off +1 in 2025

    May 22, 2025

    Early savings for 2025 will end on May 25th

    May 21, 2025

    Coinbase says its data breach will affect at least 69,000 customers

    May 21, 2025

    There are 6 days to save $900 to destroy 2025 tickets

    May 20, 2025

    Save $900 to destroy 2025 tickets before prices rise on May 25th

    May 19, 2025
  • Security

    Microsoft says Lumma Password Stealer Malware found on 394,000 Windows PCs

    May 22, 2025

    Signal's new Windows update prevents the system from capturing screenshots of chat

    May 22, 2025

    Wyden: AT&T, T-Mobile and Verizon did not inform senators of surveillance requests

    May 21, 2025

    US students agree to plead guilty to hacking affecting tens of millions of students

    May 21, 2025

    The people in Elon Musk’s DOGE universe

    May 20, 2025
  • Startups

    7 days left: Founders and VCs save over $300 on all stage passes

    March 24, 2025

    AI chip startup Furiosaai reportedly rejecting $800 million acquisition offer from Meta

    March 24, 2025

    20 Hottest Open Source Startups of 2024

    March 22, 2025

    Andrill may build a weapons factory in the UK

    March 21, 2025

    Startup Weekly: Wiz bets paid off at M&A Rich Week

    March 21, 2025
  • TechCrunch

    OpenSea takes a long-term view with a focus on UX despite NFT sales remaining low

    February 8, 2024

    AI will save software companies' growth dreams

    February 8, 2024

    B2B and B2C are not about who buys, but how you sell

    February 5, 2024

    It's time for venture capital to break away from fast fashion

    February 3, 2024

    a16z's Chris Dixon believes it's time to focus on blockchain use cases rather than speculation

    February 2, 2024
  • Venture

    Klarna CEO and Sutter Hill wins lap after Jony Ive's Openai deal

    May 22, 2025

    Wild story of how Moxxie-led Intestinal Toilet Startup Sloan was registered as a gut toilet startup throne

    May 22, 2025

    Submitted submission raises $17 million to automate tax preparation dr voyages

    May 21, 2025

    In a busy VC landscape, Elizabeth Weil's graffiti venture shows that networks are still important

    May 21, 2025

    A comprehensive list of 2025 tech layoffs

    May 21, 2025
TechBrunchTechBrunch

Employees of failed startups are at particular risk of having their personal data stolen through old Google logins

TechBrunchBy TechBrunchJanuary 19, 20256 Mins Read
Facebook Twitter Pinterest Telegram LinkedIn Tumblr WhatsApp Email
Share
Facebook Twitter LinkedIn Pinterest Telegram Email


As if losing your job when the startup you work for goes bankrupt isn't bad enough, security researchers have found that employees of failed startups are especially at risk of having their data stolen. This can range from personal Slack messages to social security numbers and even bank accounts.

The researcher who discovered the issue is Dylan Ailey, co-founder and CEO of Truffle Security, a startup backed by Andreessen Horowitz. Ayrey is best known as the creator of the popular open source project TruffleHog. TruffleHog helps you monitor data leaks if bad actors obtain your identity login tools (API keys, passwords, tokens).

Ayrey is also a rising star in the world of bug hunting. At last week's security conference ShmooCon, he spoke about flaws he discovered in Google OAuth, the technology behind the “Sign in with Google” password replacement.

Ayrey gave the talk after reporting the vulnerability to Google and other potentially affected companies, and said he was not allowed to share details since Google does not prohibit telling bug hunters about their findings. is completed. (For example, Google's 10-year-old Project Zero frequently showcases flaws found in products from other major technology companies, such as Microsoft Windows.)

He says that if a malicious hacker buys a defunct domain from a failed startup, they can use that domain to create cloud software that is set up to be accessible to all employees at the company, including internal chat and video apps. I discovered that it is possible to log into . Many of these apps offer company directories and user information pages from which hackers can discover former employees' real emails.

Armed with domains and their emails, hackers can use the “Sign in with Google” option to access the startup's many cloud software apps and often discover more employee emails. There is a gender.

To test the flaws he discovered, Ayrey purchased the failed startup's domain, from which he could log into ChatGPT, Slack, Notion, Zoom, and human resources systems, including Social Security numbers. .

“That's probably the biggest threat,” Iley told TechCrunch. Data from cloud HR systems is “the easiest to monetize, and social security numbers, banking information, and anything else in HR systems is probably the most likely to be stolen.” He said, and Google confirmed that, no data created by employees in old Gmail accounts, Google Docs or Google apps was at risk.

Any failed company that puts a domain up for sale is potential prey, but since startups tend to use Google apps and a lot of cloud software to run their business, startups' employees employees are particularly vulnerable.

Ayrey calculates that tens of thousands of former employees are at risk, as well as millions of SaaS software accounts. This is based on his research, which found that 116,000 website domains are currently for sale from failed technology startups.

Prevention is possible but not perfect

In fact, Google's OAuth configuration includes techniques that prevent the risks outlined by Ayrey when used by SaaS cloud providers. This is called a “sub-identifier” and is a series of numbers that are unique to each Google Account. Employees may have multiple email addresses associated with their work Google Account, but only one account needs to include a sub-identifier.

If configured, when an employee attempts to log in to a cloud software account using OAuth, Google sends both the email address and a sub-identifier to identify the individual. Therefore, even if a malicious hacker were to take control of your domain and recreate your email addresses, they should not be able to recreate these identifiers.

However, Ayrey, who was working with one of the affected SaaS HR providers, found this identifier to be “unreliable.” In other words, HR providers found that a very small percentage (0.04%) of their identifiers changed. This may be statistically close to zero, but for HR providers that handle huge numbers of users every day, this can add up to hundreds of failed logins each week, locking people out of their accounts. That's it. That's why the cloud provider didn't want to use Google's sub-identifiers, Ailey said.

Google objects to sub-identifiers changing. Because this finding came from the HR cloud provider rather than researchers, it was not submitted to Google as part of a bug report. Google has said that if it finds evidence that a sub-identifier is untrustworthy, the company will address it.

Google changes its mind

But Google has also upended just how important this issue is. Initially, Google completely ignored Ayrey's bug, quickly closing the ticket and saying it was a “fraud” issue rather than a bug. Google wasn't completely wrong. This risk arises from hackers taking control of a domain and exploiting email accounts recreated from it. Ayrey expressed no regrets about Google's initial decision, saying it was a data privacy issue where Google's OAuth software worked as intended despite the potential harm to users. I called. “It's not that simple,” he said.

But three months later, shortly after his talk was accepted at ShmooCon, Google changed its mind, reopened the ticket, and paid Ayrey $1,337 in compensation. Something similar happened to him in 2021 when Google reissued him a ticket after he gave a highly popular talk about his findings at the Black Hat cybersecurity conference. Google awarded Ayrey and his bug-finding partner Allison Donovan the third award of its annual Security Researcher Award (and $73,331).

Google has not yet announced a technical fix for this flaw, nor has it announced a timeline for when the fix will occur. It's also not clear whether Google will make any technical changes to address this issue in any way. However, the company has updated its documentation to direct cloud providers to use sub-identifiers. Google is also instructing founders on how companies can properly shut down Google Workspace to avoid problems.

Ultimately, Google says the solution is to allow founders who shut down their companies to gracefully shut down all of their cloud services. “We would like to thank Dylan Ayrey for his assistance in helping us identify the risks posed by customers forgetting to remove third-party SaaS services as part of their refusal to operate them,” the spokesperson said.

As a founder himself, Ayrey understands why many founders haven't been able to reliably disable cloud services. Closing down a company is actually a complex process that takes place during a potentially emotionally distressing time, with many challenges ranging from disposing of employee computers to closing bank accounts to paying taxes. Contains items.

“When a founder has to deal with a company closing, they probably don't have the mental space to think about all the things they have to think about,” Eyley says.



Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Microsoft says Lumma Password Stealer Malware found on 394,000 Windows PCs

May 22, 2025

Signal's new Windows update prevents the system from capturing screenshots of chat

May 22, 2025

Wyden: AT&T, T-Mobile and Verizon did not inform senators of surveillance requests

May 21, 2025

US students agree to plead guilty to hacking affecting tens of millions of students

May 21, 2025

The people in Elon Musk’s DOGE universe

May 20, 2025

Cocospy Stalkerware App goes offline after a data breach

May 19, 2025

Leave A Reply Cancel Reply

Top Reviews
Editors Picks

7 days left: Founders and VCs save over $300 on all stage passes

March 24, 2025

AI chip startup Furiosaai reportedly rejecting $800 million acquisition offer from Meta

March 24, 2025

20 Hottest Open Source Startups of 2024

March 22, 2025

Andrill may build a weapons factory in the UK

March 21, 2025
About Us
About Us

Welcome to Tech Brunch, your go-to destination for cutting-edge insights, news, and analysis in the fields of Artificial Intelligence (AI), Cryptocurrency, Technology, and Startups. At Tech Brunch, we are passionate about exploring the latest trends, innovations, and developments shaping the future of these dynamic industries.

Our Picks

Klarna CEO and Sutter Hill wins lap after Jony Ive's Openai deal

May 22, 2025

Bluesky begins to check for “notable” users

May 22, 2025

Microsoft says Lumma Password Stealer Malware found on 394,000 Windows PCs

May 22, 2025

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

© 2025 TechBrunch. Designed by TechBrunch.
  • Home
  • About Tech Brunch
  • Advertise with Tech Brunch
  • Contact us
  • DMCA Notice
  • Privacy Policy
  • Terms of Use

Type above and press Enter to search. Press Esc to cancel.