The Startup Risk You Didn't Know

Many startups rely on Google's Workspace for essential operations like email and document management. Unfortunately, when startups fail, they often neglect to properly shut down their Google accounts, leading to significant security risks.

The Danger of Abandoned Google Accounts

According to Dylan Ayrey from Truffle Security Co., the failure to close Google accounts can leave sensitive information accessible when a domain is sold. With a staggering 90% failure rate among startups and 6 million employees in the tech sector, many domains are frequently up for grabs. If a new owner purchases a domain with an active Google account, they can potentially regain access to accounts linked to numerous services like Slack, ChatGPT, Zoom, and more.

Ayrey's investigation revealed that after acquiring a defunct startup domain, he could access sensitive materials including tax documents, job interview details, and direct messages through Google account sign-ins.

Best Practices for Closing Google Accounts

A Google spokesperson acknowledged these risks and emphasized the importance of following proper procedures when shutting down operations. They recommend that customers should:

1. Close out their domains according to Google's instructions.
2. Understand that canceling a Google Workspace does not delete user accounts, which will remain accessible until the organization's Google account is fully deleted.

While Ayrey's findings primarily relate to startups, any domain that utilized Google Workspace for third-party service authentication without deleting its Google account poses a significant vulnerability.