Many startups use Google's productivity suite known as Workspace to handle email, documents, and other back-office matters. Related to this, many business web apps use Google's OAuth, which is “Sign in with Google.” It's a low-friction feedback loop until the startup fails, the domain goes up for sale, and someone forgot to close all the Google stuff.
Dylan Ayrey of Truffle Security Co. suggests in a report that this problem is more serious than anyone, especially Google, acknowledges. Many startups make the crucial mistake of not properly closing their accounts (both with Google and other web-based apps) before allowing their domains to expire.
Considering the number of people working for tech startups (6 million), the failure rate of these startups (90 percent), their use of Google Workspaces (50 percent, all according to Ayrey's numbers), and the speed at which startups tend to disintegrate , there are many domains associated with Google authentication for sale at any time. That wouldn't be an inherent problem, except that, as Ayrey shows, purchasing a domain with a still active Google Account allows you to reactivate Google Accounts for former employees.
With administrative access to those accounts, you can access many of the services they used Google's OAuth to log into, such as Slack, ChatGPT, Zoom, and HR systems. Ayrey writes that he bought a defunct startup domain and accessed each of them through Google account logins. He ended up with tax documents, job interview details and direct messages, among other sensitive material.
You need to close your shop, not just give up
Reached for comment, a Google spokesperson issued a statement:
We appreciate Dylan Ayrey's help in identifying the risks associated with customers forgetting to remove third-party SaaS services as part of shutting down their operations. As a best practice, we recommend that customers properly shut down domains by following these instructions to eliminate these types of issues. Additionally, we encourage third-party apps to follow best practices by using the unique account identifiers (sub) to mitigate this risk.
Google's instructions state that canceling a Google Workspace “does not delete user accounts,” which remain until an organization's Google Account is deleted.
Notably, Ayrey's methods could not access data stored in any reactivated Google account, but on third-party platforms. While Ayrey's test cases and data largely cover startups, any domain that has used Google Workspace accounts to authenticate to third-party services and failed to remove its Google account can remove the domain link before it domain was sold, be vulnerable.
