Thousands of organizations are leaking sensitive email according to researchers from Kenna Security. The root cause is a widespread misconfiguration of Google Groups, a web forum used as part of Google’s G Suite of workspace tools.
Google Groups can be used to create mailing lists and publish content available to users. Organizations affected include Fortune 500 companies, hospitals, colleges, U.S. government agencies and others.
According to Kenna Security, approximately 31 percent of organizations out of a sample size of 9,600 analyzed are exposing data. Affected organizations can mistakenly configure their privacy settings on Google Groups to “Public on the Internet” and enable option to share outside their organization.
This could mean tens of thousands of oganizations could be affected, according to the ZDNet report.
Google published a new post on Friday regarding the issue and included recommendations on how to configure Google Groups for enhanced security. The guidance included recommended default settings to prevent misconfigurations, default views for new groups, and domain level access settings, to name just a few.