35 million Google profiles were *already* exposed on the internet

Filed Under: Facebook, Google, Privacy, Social networks

Google Profile logoDo you have a Google Profile? Did you find yourself getting the collywobbles when you read the headlines in the security press?

Here's just a handful of the many headlines that have appeared in the last few days:

"35 Million Google Profiles Captured In Database", Information Week

"35m Google Profiles dumped into private database‎", The Register

"Entire Google Profile database acquired by a user", ARN

Matthijs R. Koot, a PhD student at the University of Amsterdam, was able to create a database of 35 million Google Profiles, scooping up real names, email addresses, biographical information, Twitter feeds, links to Picasa photos, etc.

Sound scary to you? If so, maybe you're one of those people who has populated your Google Profile with a large amount of private information that you wouldn't like to fall into the hands of ne'er-do-wells.

At first glance the headlines might appear worrying. But there's one important thing you need to know.

All of this information was already available to anyone on the internet.

Some Google Profiles

You may remember that last year security researcher Ron Bowes conducted a similar experiment with Facebook, creating a database of 100 million Facebook users who had left their profiles open for anybody to view.

Koot has done something similar - but with Google Profiles. He wrote a relatively simple script (which he published on the net for others to try out) that harvests Google Profile data - and in the process, revealed that many users were potentially being careless with their personal information.

Part of Koot's script

So, Koot hasn't actually exposed any new information. He's just written a script to collect together data which was already out there.

Google Profile allows you to choose the nature of the url to your profile. You can either have a random-looking number, or the username they use for Google Gmail.

For instance, Matthijs R. Koot has the option of using:

https://profiles.google.com/115572197788225218471

or

https://profiles.google.com/mrkoot

Google Profile URL

However, Google Profile users are explicitly warned that if they choose to customise their URL with their GMail username, they will be making their email address publicly discoverable.

Koot says that he conducted the test to expose how careless people were being with Google Profile, and in particular that they were exposing their email addresses.

He discovered that approximately 40% of the 35 million Google Profiles he accessed exposed the owner's username and hence their @gmail.com address. That's 15 million exposed email addresses.

There's an obvious potential for spear phishing and malware campaigns when you have access to such a hoard of legitimate email addresses. Especially when they can be combined with other personal information shared on your Google Profile.

Google Profile users can adjust their settings to not allow their profiles to be indexed by search engines. But that's not really fixing the main problem.

Google Profile search visibility

Wouldn't it be better to choose not to post personal information in the first place?

One problem, of course, is that you may not actually realise that you already have a Google Profile.

After all, Google freely admits that "if you've been writing reviews on Google Maps, posting buzz on Google Buzz, creating articles on Google Knol, sharing Google Reader items, or adding books to your Google Book Search library, you may already have a profile."

Google Profile help screen

Maybe now is the time to check if you have a Google Profile, and - if you do - that you're comfortable with the information you're sharing through it.

Ultimately, though, remember the golden rule. If you don't want a piece of information to fall into the hands of hackers/your boss/your mother-in-law then maybe it's best not to post it on the internet in the first place.

, , , , , ,

You might like

9 Responses to 35 million Google profiles were *already* exposed on the internet

  1. wbskates · 1207 days ago

    Ok, I'm a DJ. That's what I do for a living. I hope I have a Google profile, as well as a Yahoo. And , of course, Facebook. I really don't care about My _(My Space.) I still don't want to be hacked, phished, or any other cyber crime. How can I be very public, without opening myself to the "bad" element?

    Thanks!

    Wild Bill Stanley

    • Hey Wild Bill,

      If you want to use Google/Yahoo/Facebook et al to promote your DJ business that's absolutely fine. Of course, you want to make it easy for people to find out about you and ways in which to contact you.

      But I would suggest that you only post business information onto these sites, rather than personal stuff.

      Specifically, regarding Facebook, we have published guidelines about how to lock down your privacy and security there: http://www.sophos.com/en-us/security-news-trends/...

  2. Karen · 1207 days ago

    How does one check one's Google profile, or even if one has one?

  3. Do these crooks get passwords, addresses, and other private stuff?

  4. joey1058 · 1093 days ago

    As you say, if you don't want it public, don't put it in a public place. It's annoying that Google is being mule headed about it's names policy, but I drank the cool aid years ago. So I personally don't have a problem with it. But I make sure (almost) everything I post online is appropriate. Occasionally I slip and get stupid. But that's being human. Nothing that's going to scar me for life.

  5. According to The Register, Google isn't worried about Koot's project and the implications. "Public profiles are usually discovered when people use search engines, and sitemap information makes it possible for search engines to index these public profiles so that people can find them. The sitemap does not reveal any information that is not already designated to be public," said the company spokesman.

  6. solenoid25 · 786 days ago

    Off-topic amusement:

    One reason I enjoy reading your insights, Graham, is the exposure to brittishisms. Ok, I know I just made that word up.

    I did a fast search on a few sites looking for "cobbywobbles" and couldn't find it meaningfully. From context, I'd imagine that it's something similar to "the Heeby-jeebies" as we say in the USA, at least midwesterners. Odd, now i realize I've never seen it written out. Basically, Heeby-jeebies means scared, uncomfortable, spooked, or goosebump-inducing. Is that the same as "cobbywobbles"?

    Keep up the good work, enjoy 'yer big global athletic event thing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.