Close Menu
TechTost
  • AI
  • Apps
  • Crypto
  • Fintech
  • Hardware
  • Media & Entertainment
  • Security
  • Startups
  • Transportation
  • Venture
  • Recommended Essentials
What's Hot

This slush machine was a lifesaver during the New York heat wave

Former OpenAI executive Kevin Weil is now on Stoke Space’s board

OpenAI bets on families as ChatGPT goes deeper into households

Facebook X (Twitter) Instagram
  • About Us
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
  • Disclaimer
Facebook X (Twitter) Instagram
TechTost
Subscribe Now
  • AI

    OpenAI bets on families as ChatGPT goes deeper into households

    11 July 2026

    Meta removes controversial AI feature on Instagram after backlash

    11 July 2026

    OpenAI launches its new family of models with GPT-5.6

    10 July 2026

    Fidji Simo resigns from the no. 2 role

    10 July 2026

    Nvidia is a victim of the PC market it created

    9 July 2026
  • Apps

    A new app, HyperTexting, turns the open web into a social media scrolling-like stream

    11 July 2026

    Apple is suing OpenAI for alleged trade secret theft

    11 July 2026

    EU threatens Meta with fines for addictive features on Facebook and Instagram

    10 July 2026

    Instagram users: Here’s how to stop Meta’s AI from using your photos

    10 July 2026

    Anthropic’s new Claude ability quietly sells you on the AI

    9 July 2026
  • Crypto

    Venice AI goes unicorn with $65M Series A as first privacy AI platform takes off

    1 July 2026

    Crypto Exchange OKX wants AI agents to hire and pay each other

    30 June 2026

    Startup Battlefield 200 applications close today

    27 May 2026

    5 days left: Save up to $410 on Disrupt 2026 passes

    25 May 2026

    As crypto cools, a16z crypto raises $2.2 billion in capital

    6 May 2026
  • Fintech

    Don’t want to invest in Elon Musk? Two new ETFs expressly exclude him

    10 July 2026

    India’s payments chief believes artificial intelligence will play a big part in the next era of digital payments development

    28 June 2026

    Early Bird pricing ends tonight for the Founder Summit

    26 June 2026

    4 days left to save up to $190 on Founder Summit 2026

    23 June 2026

    Robinhood’s note on 10% layoffs shows that blaming AI doesn’t cut it

    17 June 2026
  • Hardware

    This slush machine was a lifesaver during the New York heat wave

    12 July 2026

    Dumb Co dared me to exchange my iPhone for a hacked phone

    11 July 2026

    SK Hynix raises $26.5 billion in largest foreign public IPO in US history, set to build new fabs in US

    11 July 2026

    After Apple, smartphone manufacturing boom in India enters new phase with Vivo JV

    10 July 2026

    Elon Musk praises Mythos/Fable, promises not to ‘cut’ Anthropic

    10 July 2026
  • Media & Entertainment

    Netflix could be planning “always on” live TV channels.

    11 July 2026

    Netflix is ​​dealing with shorter video content with its new set of publisher deals with Variety and others

    8 July 2026

    Netflix invented binge watching. Now he may be over it.

    7 July 2026

    New Google ad imagines a Declaration of Independence written with the help of artificial intelligence

    4 July 2026

    Cloudflare’s new policy pushes AI companies to pay for publishers’ content

    1 July 2026
  • Security

    US cybersecurity agency CISA had to create the incident guide during the incident, the agency reveals

    11 July 2026

    Florida ransomware dealer convicted of helping ransomware gang extort US companies

    10 July 2026

    Hacktivists call out Trump by hacking and defacing US military websites

    8 July 2026

    Canada’s spy agency says it hacked drug traffickers, extremists and a ransomware gang last year

    6 July 2026

    Politician who investigated abuses of wiretapping software on his phone with Pegasus spyware

    3 July 2026
  • Startups

    Former OpenAI executive Kevin Weil is now on Stoke Space’s board

    11 July 2026

    Phia Accused of ‘Cookie Stuffing’, Taking Affiliate Credit for Unearned Purchases

    11 July 2026

    Oratomic raises $300M to build sustainable quantum computer that only needs 20,000 qubits

    10 July 2026

    These AI startups are growing revenue at an ever-faster pace

    10 July 2026

    Popular Open Source AI Developer Tool Ollama Raises $65M, Grows to Nearly 9M Users

    9 July 2026
  • Transportation

    Slate Auto partners with Crayola to paint its EV truck

    10 July 2026

    Autonomous drone delivery startup Manna plans major US expansion

    9 July 2026

    Federal authorities are demanding that autonomous vehicle companies stop interfering with first responders

    9 July 2026

    Another massive data breach exposed millions of driver’s license numbers

    8 July 2026

    This startup brings dealers together to bid on your used car

    7 July 2026
  • Venture

    Filed Under: College Fizz App Accuses VC Of Sharing Confidential Startup Info With Rival Sidechat

    11 July 2026

    Charles Hudson shares the common mistakes he’s seen after investing in 500+ startups

    10 July 2026

    Nandan Nilekani steps down as GP at Fundamentum as it launches third $200m fund

    9 July 2026

    What are bending spoons? The little-known owner of AOL and Vimeo who is now public

    5 July 2026

    After $18B IPO, Bending Spoons Founder Says Success Comes From Minimizing Luck

    2 July 2026
  • Recommended Essentials
TechTost
You are at:Home»Security»Employees at failed startups are at particular risk of personal data theft via old Google logins
Security

Employees at failed startups are at particular risk of personal data theft via old Google logins

techtost.comBy techtost.com19 January 202506 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Email
Employees At Failed Startups Are At Particular Risk Of Personal
Share
Facebook Twitter LinkedIn Pinterest Email

As if losing your job when the startup you work for collapses isn’t bad enough, now a security researcher has found that workers at failed startups are at particular risk of having their data stolen. This ranges from their personal Slack messages to their Social Security numbers and possibly bank accounts.

The researcher who discovered the issue is Dylan Ayrey, co-founder and CEO of Andreessen Horowitz-backed startup Truffle Security. Ayrey is best known as the creator of the popular open source project TruffleHog, which helps monitor for data leaks in case bad guys get their hands on identity-binding tools (ie API keys, passwords, and tokens).

Ayrey is also a rising star in the bug hunting world. Last week on ShmooCon security conferencetalked about a flaw he found with Google OAuth, the technology behind Sign in with Google, which people can use instead of passwords.

Ayrey gave his talk after reporting the vulnerability to Google and other companies that could be affected, and was able to share the details because Google doesn’t ban its bug hunters from talking about their findings. (Google’s ten-year-old Project Zero, for example, often presents the flaws it finds in other tech giants’ products, such as Microsoft Windows.)

He discovered that if malicious hackers bought the damaged domains of a failed startup, they could use them to connect to cloud software configured to allow every employee in the company to access, such as a corporate chat or video application. From there, many of these apps offer company directories or user information pages where the hacker could discover the actual emails of former employees.

Armed with the domain and those emails, hackers could use the Sign in with Google option to access many of the startup’s cloud software applications, often finding more employee emails.

To test the flaw he found, Ayrey bought a failed startup domain and from it was able to connect to ChatGPT, Slack, Notion, Zoom, and an HR system that contained Social Security numbers.

“That’s probably the biggest threat,” Ayrey told TechCrunch, as data from an HR system in the cloud is “the easiest thing to monetize, and Social Security numbers and bank information and whatever else is out there in HR systems are likely to be “targeted. He said old Gmail accounts or Google Docs created by employees, or any data created with Google apps, are not at risk either. Google confirmed.

While any failed company with a domain for sale could fall victim, startup workers are especially vulnerable because startups tend to use Google apps and a lot of cloud software to run their businesses.

Ayrey estimates that tens of thousands of former employees are at risk, as well as millions of SaaS software accounts. This is based on his research that found 116,000 website domains currently being offered for sale by failed tech startups.

Prevention is available but not perfect

Google actually has technology in its OAuth configuration that should prevent the risks Ayrey describes if the SaaS cloud provider uses it. It’s called a “sub-id”, which is a series of numbers unique to each Google account. While an employee can have multiple email addresses linked to their work Google account, the account should only have one secondary ID.

If configured, when the employee goes to sign in to a cloud software account using OAuth, Google will send both the email address and secondary ID to identify the person. So, even if malicious hackers recreated email addresses with domain control, they should not be able to recreate these IDs.

But Ayrey, working with an affected SaaS HR provider, discovered that this ID “was unreliable,” as he put it, meaning the HR provider found it changed a very small percentage of the time: 0.04%. This may be statistically close to zero, but for an HR provider handling huge numbers of daily users, it adds up to hundreds of failed logins every week, locking users out of their accounts. That’s why this cloud provider didn’t want to use Google’s secondary identifier, Ayrey said.

Google disputes that the secondary identifier ever changes. As this finding came from the HR cloud provider, not the researcher, it was not submitted to Google as part of the bug report. Google says that if it ever sees evidence that the secondary identifier is untrusted, the company will address it.

Google changes its mind

But Google also commented on how important this issue was. At first, Google completely dismissed Ayrey’s bug, immediately closing the ticket and saying it wasn’t a bug but a matter of “fraud.” Google wasn’t entirely wrong. This risk comes from hackers controlling domains and abusing email accounts they recreate through them. Ayrey did not dispute Google’s initial decision, calling it a data privacy issue where Google’s OAuth software worked as it should, even though users could still be harmed. “It’s not that cut and dry,” he said.

But three months later, just after his talk was accepted by ShmooCon, Google changed its mind, reopened the ticket, and paid Ayrey a $1,337 bonus. Something similar happened to him in 2021, when Google reopened his ticket after he gave a wildly popular talk about his findings at the Black Hat cybersecurity conference. Google even awarded Ayrey and his bug-finding partner, Allison Donovan, their third Security Researcher of the Year award prizes (plus $73,331).

Google has yet to issue a technical fix for the flaw, nor a timeline for when it might — and it’s unclear if Google will ever make a technical change to somehow address this problem. However, the company has updated documentation to tell cloud providers to use the secondary ID. Google also offers instructions to founders on how companies should properly shut down Google Workspace and prevent the problem.

Ultimately, Google says, the solution is for founders who shut down a company to make sure they properly shut down all their cloud services. “We appreciate Dylan Ayrey’s help in identifying the risks of customers forgetting to delete third-party SaaS services as part of their decommissioning,” the spokesperson said.

Ayrey, a founder himself, understands why many founders may not have ensured their cloud services were turned off. Closing a company is actually a complicated process done during an emotionally painful time – involving many items, from disposing of employees’ computers, closing bank accounts and paying taxes.

“When the founder has to deal with shutting down the company, they’re probably not in a good position to think about all the things they need to think about,” Ayrey says.

data employees failed Google logins OAuth personal Risk startups theft
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleFast-growing South African business FARO raises $6 million to source, refurbish and sell surplus clothing
Next Article TikTok is restoring service in the US
bhanuprakash.cg
techtost.com
  • Website

Related Posts

US cybersecurity agency CISA had to create the incident guide during the incident, the agency reveals

11 July 2026

Apple is suing OpenAI for alleged trade secret theft

11 July 2026

Florida ransomware dealer convicted of helping ransomware gang extort US companies

10 July 2026
Add A Comment

Leave A Reply Cancel Reply

Don't Miss

This slush machine was a lifesaver during the New York heat wave

12 July 2026

Former OpenAI executive Kevin Weil is now on Stoke Space’s board

11 July 2026

OpenAI bets on families as ChatGPT goes deeper into households

11 July 2026
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Fintech

Don’t want to invest in Elon Musk? Two new ETFs expressly exclude him

10 July 2026

India’s payments chief believes artificial intelligence will play a big part in the next era of digital payments development

28 June 2026

Early Bird pricing ends tonight for the Founder Summit

26 June 2026
Startups

Former OpenAI executive Kevin Weil is now on Stoke Space’s board

Phia Accused of ‘Cookie Stuffing’, Taking Affiliate Credit for Unearned Purchases

Oratomic raises $300M to build sustainable quantum computer that only needs 20,000 qubits

© 2026 TechTost. All Rights Reserved
  • About Us
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
  • Disclaimer

Type above and press Enter to search. Press Esc to cancel.