If you are using Google Groups, you need to check your privacy settings right now and make sure that the configuration doesn’t leak any sensitive information.
This message comes from Kenna Security which found that nearly one-third of 9,600 public Google Groups leaked sensitive information in emails sent through the platform.
The security firm found such public groups held by many prominent websites, including Fortune 500 companies, hospitals, universities, newspapers, and even U.S. government agencies.
The post says that a misconfiguration in settings results in leakage of emails containing invoices, passwords, and other credentials. In short, things you wouldn’t want to be shared on the internet.
Why are emails from my Google Group getting leaked?
According to the firm, Google Groups has “complex terminology” and conflict between “organization-wide vs. group-specific permissions” which causes list admins to “inadvertently expose e-mail list contents.”
Apparently, when a G-Suite admin creates a Groups mailing list for specific recipients, it also provides a web interface for the list at https://groups.google.com.
The privacy settings for each Google Group can be adjusted on either a domain or per-group basis, and the misconfiguration occurs when Groups Visibility is set to “Public on the Internet.”
How to check whether I am affected?
You can visit the settings page by logging into G Suite as an admin and typing “Settings for Groups for Business” or by using this link. Here, the settings should always be set to “Private” if the group is meant to be internal to the company.
“If publicly accessible, you may access your organization’s public listing at the following link: https://groups.google.com/a/[DOMAIN]/forum/#!forumsearch/”
How do I configure my Google Group settings?
Kenna Security alerted Google about this leakage and in response, Google has issued instructions on how to adjust the settings that would ensure a group’s privacy. You can make the suggested changes to prevent emails from being visible publicly.