A security researcher has uncovered a critical vulnerability that puts former employees of failed startups at risk of data theft, including sensitive information such as Social Security numbers and bank accounts. The discovery was made by Dylan Ayrey, co-founder and CEO of Truffle Security, who is known for his work on the popular open-source project TruffleHog.

The vulnerability arises when malicious hackers buy the defunct domains of a failed startup, allowing them to log in to cloud software configured to allow every employee in the company to have access. From there, hackers can access company directories or user info pages, discovering former employees' actual emails. Armed with the domain and emails, hackers can use the "Sign in with Google" option to access many of the startup's cloud software apps, often finding more employee emails.

To test the flaw, Ayrey bought one failed startup's domain and was able to log in to ChatGPT, Slack, Notion, Zoom, and an HR system containing Social Security numbers. He estimates that tens of thousands of former employees are at risk, as well as millions of SaaS software accounts. This is based on his research that found 116,000 website domains currently available for sale from failed tech startups.

Google's OAuth configuration has a feature called a "sub-identifier" that should prevent this risk, but Ayrey found that it was unreliable in a small percentage of cases. This means that even if configured, the sub-identifier may not always work as intended, allowing hackers to still access sensitive information.

Google initially dismissed the bug, calling it a "fraud" issue, but later changed its mind and paid Ayrey a $1,337 bounty. The company has updated its documentation to tell cloud providers to use the sub-identifier and offers instructions to founders on how to properly shut down Google Workspace and prevent the problem.

However, Google has not yet issued a technical fix for the flaw, nor a timeline for when it might. The company says the fix is for founders shuttering a company to make sure they properly close all of their cloud services. Ayrey, a founder himself, understands why many founders might not have ensured their cloud services were disabled, given the complexities of shutting down a company.

The discovery highlights the importance of proper shutdown procedures for companies, especially startups that rely heavily on cloud software to run their businesses. It also underscores the need for cloud providers to take proactive measures to prevent data theft and protect their users' sensitive information.

In the meantime, former employees of failed startups should be vigilant about monitoring their online accounts and sensitive information, and companies should take steps to ensure that their cloud services are properly closed down to prevent data theft.