The Google Apps / Gmail Breach That Isn’t

News over the past few days that hackers have posted almost 5 million email addresses and passwords on an online forum has caught the media’s attention in large part because about 4.7 million of the addresses appear to be gmail accounts.

This is NOT, however, a breach of Gmail or Google Apps.  

The information appears to be from other sites and sources for which users provide their email address as their login.  In fact, several people that have found their address on the list report that the information is not their login information for Gmail or Google Apps.  As reported by Mashable, your risk is low.

Given it is not a Google Apps or Gmail breach, are you at risk?

Maybe!  Google has already analyzed the list and found some users that may be using their Google account password for other sites.  Google has notified these users and is forcing them to change their passwords. For the bigger picture:

If you use the same username/email address and password for all of your services, and one service is breached, then you are at risk of hackers gaining access to some or all of your services.

If a service is breached and you have granted the service access to your Google Apps environment, your data may be at risk.

Recommended Actions

Step One:  It is not easy, but avoid using the same password for multiple services, sites, or accounts.  And don’t write passwords down to remember them.

Step Two:  Be careful when and how you allow services to connect with one another.  For example, LinkedIn needs your password if you are going to import contacts. While this may be safe to do, other services may not be as trustworthy.

Step Three:  Read and understand security permissions when you install apps on your mobile devices.  Many apps recognize and request access to other apps and services already on your phone.  Human nature is to say “grant” or “allow” without reading or fully understanding the implications, risks, or the trustworthiness of the app’s creators.

Note for Businesses, Governments, and Schools running Google Apps: Users installing 3rd party apps, particularly on cell phones, may be granting access to data stored in Google Apps.  To see if you have a risk, we offer a Google Apps Security Health Check that will document access rights and evaluate your level or risk, if any.  

Click Here for Information


Assessing Your Google Apps Security Threats

accept button
The power of Google Apps comes from the variety and scope of its collaboration features.  Unfortunately, the same tools we use to share and to work more efficiently can be used against us. When users set permissions, they may accidentally (or intentionally) over-share, resulting in data leaks, disclosures, policy breaches, and regulatory violations.

With the easy to select and connect 3rd party mobile and web apps to your Google accounts in just a few click, employees can easily and unintentionally grant access to non-trustworthy apps.

How do you protect your users from threats they do not know exist?

Assessing and managing information security within Google Apps warrants a multi-faceted approach.

  1. Education. Make sure employees understand your organization’s privacy and security policies, and any regulations and laws you must follow.
  2. Education. Make sure your users understand the basics of how permissions work within Google Drive and Sites, and how to use settings to comply with policies.
  3. Education. Make sure employees know that 3rd party apps can be dangerous and cause problems.

Beyond Education, many organizations look to deploy data protection and security solutions that support policies, that monitor the Google Apps environment for risks and violations, and that can respond and remediate potential data sharing violations.

Before you invest, however, understand your risk.  By reviewing Drive content and permissions and analyzing the inventory of 3rd party apps accessing your Google Apps domain, you can best assess if and when additional security and administrative tools are warranted.  While this can be time-consuming, tools and services exist that can automate the process of gathering and analyzing Google Apps security threat information.

Through September 30, 2014, Cumulus Global is partnering with CloudLock, the Google Apps collaboration security company, to offer a comprehensive Google Apps Security Health Check, which will analyze both Drive content and the risk from 3rd party mobile and web apps.  Normally a service costing $1,000 to $5,000, we are offering the assessment for $300 or less.

Click Here for more information and/or to speak with a Cloud Advisor.