Major companies including IBM's Weather Company, Fusion Media Group and SpotX have accidentally publicly exposed messages containing sensitive information due to a configuration error in Google Groups.
Security researchers at RedLock Cloud Security Intelligence discovered that hundreds of companies inadvertently exposed personally identifiable information, including email addresses, email content as well as personally identifiable information such as customer names, passwords, email and home addresses, employee salary compensation details and sales pipeline data.
Google Groups, which is a part of G Suite, is used by organizations as a communication and collaboration tool to create and participate in online forums and email-based group chats. When setting up a Google Group, administrators can change the sharing option for "Outside this domain - access to groups" to make the group's messages private or public.
The organizations, which leaked sensitive data, accidentally selected the field "Public on the Internet", allowing anyone on the Internet to view and access the private and sensitive information in their messages.
Some of the companies affected include the Weather Company, Freshworks, SpotX and Fusion Media Group - the parent company of The Onion, Jezebel, Gizmodo, Lifehacker, Kotaku and more.
"The RedLock CSI team only looked for a sample of [Google Groups] cases and found dozens," RedLock cofounder and CEO Varun Badhwar told Dark Reading. "Extending that, there are likely hundreds of companies affected by this misconfiguration."
The security firm has recommended that the companies immediately check and change their Google Groups sharing setting to "private."
"Simple misconfiguration errors - whether in SaaS applications or cloud infrastructure - can have potentially devastating effects," Badhwar told ZDNet. "Recent data leaks at companies such as Deep Root Analytics, WWE, and Booz Allen Hamilton have demonstrated the impact these simple errors can have."
"In today's environment, it's imperative that every organization take steps to educate employees on security best practices and leverage tools that can automate the process of securing applications, workloads and other systems."
IBTimes UK has reached out to RedLock for comment.
Over the past few months, many companies have mistakenly exposed sensitive data due to cloud configuration errors.
Last week, Dow Jones & Co. confirmed that the personal and financial details of nearly 2.2 million customers were exposed to due to a configuration error in an Amazon Web Services S3 bucket.
Verizon also revealed earlier this month that a third-party vendor had exposed millions of subscribers' records on an unprotected AWS storage on an exposed, unprotected Amazon S3 cloud server for the past six months. WWE also said that an unprotected database containing more than 3 million fans' personal data were found stored in plain text on an AWS storage server.