Google Workspace exploit could let hackers steal your files without leaving any trace

News
By published

A flaw in Google Workspace could make a hacked account even more troublesome

Google storage
(Image credit: Shutterstock)

Storing files in the cloud means placing a huge amount of trust in the host, and that it’s keeping its security in top shape. Unfortunately, that doesn’t seem to have been the case with Google Workspace, according to a new report from security experts. 

Apparently, there’s an exploit that could allow hackers to steal Google Drive files and get away without a trace.

Researchers from Mitiga Security have published their findings on this exploit, which relates to whether you’ve paid for a Google Workspace license or not. Evidently usage logs are only kept if you’re paying for the service, and if you’re not then there’s no record of what’s been going on in your supposedly-private Drive space.

So, should any bad actors manage to compromise a Google Workspace account, they could then revoke this license. Once the account is officially “Cloud Identity Free”, they are able to do as they please without there being any record of what’s been happening. 

Mitiga claims to have notified Google of the issue, though the company apparently hasn’t responded. Hopefully it's actually figuring out a solution to the problem, because it’s a pretty serious one to have.

As TechRadar Pro points out, knowing what files have been compromised and taken during a data breach is essential. Knowing what data was taken means victims can be better informed about the risks of identity theft, fraud or other similar consequences. Without proper logs it’s impossible to make those kinds of judgments.

It’s true that the problem doesn’t make it any easier for threat actors to access your Google Workspace account in the first place. But once they’re in it means those hackers can do whatever they like, safe in the knowledge there will be no record of it.

That means it’s all the more important to make sure your account is kept safe and secure — keeping those ne’er-do-wells out of your private data. That means making sure 2-step verification is activated, and that you have a strong password. Or better still, learn how to use passkeys with your Google account for better security.

More from Tom's Guide

See more Computing News
TOPICS
Tom Pritchard
Tom Pritchard
UK Phones Editor

Tom is the Tom's Guide's UK Phones Editor, tackling the latest smartphone news and vocally expressing his opinions about upcoming features or changes. It's long way from his days as editor of Gizmodo UK, when pretty much everything was on the table. He’s usually found trying to squeeze another giant Lego set onto the shelf, draining very large cups of coffee, or complaining about how terrible his Smart TV is.

Read more
Find My iPhone
Apple Find My hack turns any Bluetooth device into a secret AirTag — what we know
and image of the Google Chrome logo on a laptop
Billions of Chrome users at risk from new browser-hijacking Syncjacking attack — how to stay safe
Eight Sleep Pod 4 Ultra with head raised in beige bedroom
Eight Sleep smart beds reportedly have a secret backdoor that can be accessed remotely — everything you need to know
Cartoon of person peering through US flag
Western governments want your data and big tech is happy to provide – how to slow them down
and image of the Google Chrome logo on a laptop
Over 600,000 Chrome users at risk after 16 browser extensions compromised by hackers — what you need to know
Image of technical screen displaying system hacked warning
SonicWall VPN hit with second vulnerability
Latest in Online Security
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 27 (#655)
The Signal app logo displayed on an iPhone, with a screenshot of the Signal app in use displayed on a monitor in the background.
Signal — everything you need to know about the app at the center of the group chat scandal
Robert Downey Jr. revealed as Doctor Doom for "Avengers: Doomsday"
Marvel reveals 'Avengers: Doomsday' casting — the latest updates and every actor
Wyze Cam v3
Wyze adds AI-powered filter to its security cameras to cut down on notifications that are “no big deal”
Mark Grayson (Steven Yeun) as Invincible in his blue suit during a scene from "Invincible" season 3 on Prime Video.
'Invincible' season 4 release window just announced — here's when it's coming
Microsoft Copilot app running on a phone with Microsoft logo in background
Microsoft 365 Copilot debuts new research tools for work: here's what that means
More about online security
23andME box

23andMe has declared bankruptcy — here's how to delete your data now

A man filing his taxes electronically on a laptop

AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
Disney Plus logo

New on Disney Plus in April 2025 — all the new must-watch movies and shows
See more latest
Most Popular
Disney Plus logo
New on Disney Plus in April 2025 — all the new must-watch movies and shows
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #389 (Thursday, March 27 2025)
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 27 (#655)
Mark Grayson (Steven Yeun) as Invincible in his blue suit during a scene from "Invincible" season 3 on Prime Video.
'Invincible' season 4 release window just announced — here's when it's coming
The Signal app logo displayed on an iPhone, with a screenshot of the Signal app in use displayed on a monitor in the background.
Signal — everything you need to know about the app at the center of the group chat scandal
Microsoft Copilot app running on a phone with Microsoft logo in background
Microsoft 365 Copilot debuts new research tools for work: here's what that means
Wyze Cam v3
Wyze adds AI-powered filter to its security cameras to cut down on notifications that are “no big deal”
Bella Ramsey and Isabela Merced in The Last of Us season 2
'The Last of Us' season 2 episode 1 title and runtime revealed
Robert Downey Jr. revealed as Doctor Doom for "Avengers: Doomsday"
Marvel reveals 'Avengers: Doomsday' casting — the latest updates and every actor
Mark Duplass and Ellen Pompeo in "Good American Family" on Hulu
Hulu top 10 shows — here's the 3 you need to stream right now