Experts have uncovered a method for hackers to steal data from people’s Google Drive accounts without leaving any trace of the files they got away with.
Cybersecurity researchers from Mitiga Security have published findings claiming the problem lies in the fact that for users without a paid license for Google Workspace, nothing is logged and there are no records of any actions a user might make in their private drive.
That means should a threat actor compromise a cloud storage account, they could easily revoke their paid license, bringing the account back to the “Cloud Identity Free”, costless license, and thus turning off any logging or record-taking features. After that, they’d be able to exfiltrate any and all files without leaving a single trace. The only thing an admin would later see is that someone revoked a paid license.
Mitiga says it notified Google of its findings, who is yet to respond.
Identifying which files were taken during a data breach is an essential part of any post-mortem or hacking forensics process. It helps the victims determine what type of data was taken, and thus conclude if there is any danger of potential identity theft, wire fraud, or similar.
Proper logging is also one of the standard ways for IT teams to keep track for potential incursions before they are able to cause any serious damage.