Has your Google account been compromised?
A friend of mine has a small business and recently had a Google Workspace (formerly G Suite) shared drive disappear. I’m going to share you the story of how it happened, the steps I took for investigating, and how you can stop this from happening to you!
Shared Drive Permission Problem
It all started back in August when the business was experiencing permission problems with a shared drive that contained all their files. It was weird as the Google Admin console did not list the shared drive, and I advised they should log a support ticket with Google. Looking at the best practices it’s recommended to create a new shared drive for each project. This was the first warning sign; if a shared drive you’re using is not in your admin console, then how and where is it configured? As it was not broken, and small businesses only have time to work on things with high priority, the Google support case was never logged.
My friend called me on Friday 6th November 2020, their shared drive that the entire company relied upon disappeared over night. Every document the company had created in 6 years had vanished. No backups, as you don’t need to; Google stores multiple versions of files so as long as you are paying your bill.
Google Support Bombshell
I advised they create a support request immediately with Google, Google support for me in the past has been really good at simplifying and getting to the bottom of problems. My friend shared the chat transcript with me, I was in shock when I saw it!
Google Workspace Support, : Do you have the Shared Drive's URL? Google Customer: Unfortunately I don't have the link to the drive, but we have links to shared folders within that drive: https://drive.google.com/drive/u/1/folders/<redacted> Google Workspace Support, : It doesn't belong to this domain Google Workspace Support, : The name is or was 'Untitled Team Drive' Google Customer: What domain does this belong to? Google Workspace Support, : mydr.me Google Workspace Support, : The owner of that domain must give you access or restore it from trash or move it back to its original location Google Workspace Support, : Also if the owner needs help finding out what happened to the Shared Drive a case must be filed from that Admin console Google Customer: Are you able to advise who the owner of that tenant is, or any contact deatils? Google Customer: email address maybe? Google Workspace Support, : We care about our customer's privacy and for that reason we don't disclose information without a proper validation Google Workspace Support, : In this case a PIN number would be required for me to confirm that to you Google Workspace Support, : Generated from the Admin console of mydr.me Google Customer: Is there any way for us to recover this data? Google Workspace Support, : Only the owner of a Shared Drive can recover it Google Customer: ok, thank you for your help today.
Investigation & Forensics
The first place to look when investigating what happened in your Google Workspace account is the audit logs. The audit log records admin, data access, and system events for your account. After checking the audit log, there was no log events related to any drive, ever. That’s because the logs only appear in the owner of the drive’s account. Knowing that another account owned the drive, no Google logs were available, the company laptops were the next step in the investigation.
Google Drives can be accessed via file stream which streams files directly from Google and are not stored locally unless offline caching is enabled. After checking the file stream logs there were details of the connections to Google servers, nothing else. There was a cache folder, which was empty. A file recovery utility was run over a few laptops which were using file stream, however no data or files, even temporary ones, existed to be recovered. There was really no forensic investigation.
Using the Google Vault allows you to search for any messages, drive files, and other services. Searching for the domain of the other account that owns the drive mydr.me resulted in emails sent to all users to accept a drive share request from outside the organization. The email headers and DMARC all checked out, they were valid Google emails and not a phishing attack. You see, any organization can share their drive with another one, and all it takes is a user to accept that share request. Permissions are granted at the organization level, individual users will have access without individually configuring.
How It Happened
The default settings for a Google Workspace account is to allow anyone to upload or move content to share drives owned by another organization. A very dangerous setting that you should check in your Google Workspace account! Modifying this setting will help protect your data in Google Drive.
It turns out my friend had purchased “Google Drive Unlimited” from eBay thinking it was legitimate. It looked legitimate because the sharing page was the actual Google drive page. Google account are setup posing as educational institutions that have access to unlimited Google Drives, and are sold on sites like eBay to make money. There are many problems with this; if another drive user in the same account shares illegal content or is reported to Google for breaches against their terms and conditions, the account and all the shared drives are suspended. The account owner also has access to all data, they could access the data to monetize it, like credit cards or identities.
Data Recovery and Next Steps
The only way to recover the data is to get hold of the other account owner and have them rectify their Google account, which given the lack of information about them, and they have already made money isn’t really an option. On numerous attempts including legal request to Google it is clear that only the account owner can liaise with Google on this matter.