Losing a job is hard enough, but for employees at failed startups, the risk of having personal data stolen could make the situation even worse. Security researcher Dylan Ayrey has discovered a critical vulnerability that exposes former startup employees to potential identity theft and financial harm. This flaw, which primarily affects employees of collapsed startups, allows hackers to steal sensitive information like Social Security numbers, private messages, and potentially even bank account details.
Ayrey, a well-known figure in the cybersecurity community and the co-founder of Truffle Security, uncovered this issue after examining how hackers could exploit the collapse of a startup to gain unauthorized access to cloud services. The problem lies in a flaw within Google's OAuth authentication system. When hackers purchase defunct domain names from failed startups, they can use these domains to gain access to cloud software like Slack, Zoom, and Notion. From there, they can harvest employee emails and, using Google’s “Sign in with Google” feature, potentially break into other cloud apps, accessing even more sensitive data.
Ayrey was able to demonstrate the severity of this issue by buying the domain of a failed startup and accessing various services, including HR platforms containing personal information like Social Security numbers. The theft of data from HR systems poses a particularly serious threat as it is easy to monetize and can lead to significant financial loss for former employees.
This flaw is particularly damaging to startup employees, who often rely heavily on cloud-based services and Google's suite of tools for their work. According to Ayrey, tens of thousands of former employees may be at risk, as more than 116,000 domains from failed startups are currently available for purchase. With millions of SaaS software accounts exposed, the scale of the vulnerability is alarming.
While google has implemented a safeguard called a “sub-identifier” that’s supposed to prevent this type of attack, Ayrey’s investigation revealed that the identifier can be unreliable in some cases. This inconsistency, though minor (occurring in only 0.04% of cases), can still lead to significant issues, especially when dealing with large volumes of user data. The HR cloud provider that Ayrey worked with confirmed this problem, but google disputes its findings, stating that the sub-identifier should never change. However, google has yet to take any real action to fix the issue.
Initially, google dismissed Ayrey's findings, closing the bug report and categorizing the issue as a “fraud” problem rather than a flaw in their system. After months of delay, and only after Ayrey presented the issue at a security conference, google reversed its decision, reopened the ticket, and rewarded Ayrey with a bounty. This flip-flop from google raises questions about the company's priorities and responsiveness to security threats.
Despite acknowledging the issue, google has not provided a concrete solution or a timeline for when a fix might be implemented. Instead, they have suggested that the responsibility lies with company founders to ensure that cloud services are properly shut down when their business collapses. For employees left vulnerable by these breaches, this is little consolation. The process of shutting down a startup is already overwhelming, and founders may not be in the right mindset to consider all the technical details, such as deactivating cloud services.
This situation exposes the dangerous reality of what can happen when a startup fails — employees not only lose their jobs but may also find themselves at the mercy of hackers exploiting weaknesses in cloud software. While google has made some attempts to address the issue in its documentation, the lack of a definitive fix or proper closure from the affected services leaves former employees at great risk.
For employees of failed startups, the emotional toll of losing a job could soon be overshadowed by the very real possibility of having their identities stolen.