.webp)
As if losing your job when the startup you work for collapses isn’t bad enough, now a security researcher has found that employees at failed startups are at particular risk of having their data stolen. This ranges from their private Slack messages to Social Security numbers and, potentially, bank accounts.
The researcher who discovered the issue is Dylan Ayrey, co-founder and CEO of Andreessen Horowitz-backed startup Truffle Security. Ayrey is best known as the creator of the popular open source project TruffleHog, which helps watch for data leaks should the bad guys gain identity login tools (i.e., API keys, passwords, and tokens).
Ayrey is also a rising star in the bug-hunting world. Last week at security conference ShmooCon, he gave a talk on a flaw he found with Google OAuth, the tech behind “Sign in with Google,” which people can use instead of passwords.
Ayrey gave his talk after reporting the vulnerability to Google and other companies that could be affected and was able to share the details of it because Google doesn’t forbid its bug hunters from talking about their findings. (Google’s decade-old Project Zero, for example, often showcases the flaws it finds in other tech giants’ products like Microsoft Windows.)
He discovered that if malicious hackers bought the defunct domains of a failed startup, they could use them to log in to cloud software configured to allow every employee in the company to have access, like a company chat or video app. From there, many of these apps offer company directories or user info pages where the hacker could discover former employees’ actual emails.
Armed with the domain and those emails, hackers could use the “Sign in with Google” option to access many of the startup’s cloud software apps, often finding more employee emails.
To test the flaw he found, Ayrey bought one failed startup’s domain and from it was able to log in to ChatGPT, Slack, Notion, Zoom, and an HR system containing Social Security numbers.
“That’s probably the biggest threat,” Ayrey told TechCrunch, as the data from a cloud HR system is “the easiest they can to monetize, and the Social Security numbers and the banking information and whatever else is in the HR systems is probably pretty likely” to be targeted. He said that old Gmail accounts or Google Docs created by employees, or any data created with Google’s apps, are not at risk, and Google confirmed.
While any failed company with a domain for sale could fall prey, startup employees are particularly vulnerable because startups tend to use Google’s apps and a lot of cloud software to run their businesses.
Ayrey calculates that tens of thousands of former employees are at risk, as well as millions of SaaS software accounts. This is based on his research that found 116,000 website domains currently available for sale from failed tech startups.
.webp)
