Earlier tonight, reports began rolling in of a serious breach in Google accounts security. Some sort of glitch has granted access to Webmaster Tools, Google Analytics and perhaps even more tools to users who previously had access, but then had that access revoked. Updated with statement from Google below.
This means that ex-employees or contractors which formerly had access to a site’s records, reports and tools that could affect its place on the web have suddenly had their access restored. This is an enormously dangerous situation, obviously, as there is no guarantee that those people won’t do something malicious with that access.
You can see some evidence of the Webmaster Tools access on David Naylor’s blog here, where he demonstrates some of the things that could be done to his firm’s ex-clients. He has reported that he has access to Analytics too and that the issue has been going on for several hours at least, but we’ve been unable to corroborate any access to Analytics by anyone else.
You can see the Reverifications triggering here:
We spoke to Dennis Goedegebuure from TheNextCorner.net and former Director of SEO at eBay about the issue. He noted that he had been granted access to eBay’s Webmaster Tools, though he left the company 15 months ago.
He has not accessed the account at all, as that would be improper, but there is no way to know whether every one of the accounts that have been reinstated with this glitch will belong to conscientious users like Naylor and Goedegebuure.
Here’s a screenshot of Goedegebuure’s access to the eBay account:
Currently, SEO blogs like State of Searchand SEOpros on Twitter are on fire with this issue. Many people are finding themselves suddenly in possession of access to accounts that they have no business being in charge of.
The things that could be accomplished with access to Webmaster Tools alone include some fairly scary stuff:
- Change preferred domain, redirecting to another site (
Imagine eBay suddenly being pointed to Amazon.com). As pointed out by Vanessa Fox in the comments below, this one wouldn’t be possible, but you could send it to one of your personal domains.
- Drop pages from the index, removing the homepage URL.
- Remove all sitemaps from the account.
- Remove all users access from the webmaster.
- Change parameter handling, and canonicalization.
There have also been reports that Google Talk contacts are reappearing as well. If you’re a site owner, you’re probably going to want to head into your WMT panel to delete those users. We have reached out to Google and they are looking into the issue.
Update: A Google spokesperson has given the following statement about the issue:
For several hours yesterday a small set of Webmaster Tools accounts were incorrectly re-verified for people who previously had access. We’ve reverted these accounts and are investigating ways to prevent this issue from recurring
Image Credit: Sean Gallup/Getty Images News