Security

Massive Google Webmaster Tools security breach reported

Google Webmaster Tools, the Google site that helps website owners manage how their site appears in Google, diagnose problems, and optimize traffic, is currently experiencing a major security breach.

Old accounts are being re-verified, says Search Engine Journal. That may not sound like a big deal, but it’s a potential disaster for anyone who has had search engine optimizers working on their websites.

“From initial glance at our WMT’s accounts we now have regained access to every old account we have previously been given access to, whether that is a previous client or maybe a site that came to us for some short term consultancy,” David Naylor posted on his search marketing blog today.

Above: Google Webmaster Tools re-verifying old accounts

Image Credit: David Naylor

Hopefully, no black hats are taking advantage of special access to former clients’ sites, as they could cause significant damage by uploading fake sitemaps, requesting removal of key URLs from Google’s index, re-configuring U.S.-based sites to target users in Kazakhstan, Timbuktu, or any other random place, and setting Google’s crawl rate at a ridiculously slow pace, among other things.

Dennis Goedegebuure, a former director of SEO at eBay, confirmed to The Next Web that he had been granted access to eBay’s webmaster tools even though he left the company almost a year and a half ago.

I personally could not verify the problem. In former lives I’ve managed sites with millions of monthly pageviews and had access to those sites’ accounts. A quick check tonight verified that I have not been re-verified for those accounts — which may mean that Google has fixed the issue, or simply that my GWT account was not affected.

The breach goes as far as granting access to sites’ Google Analytics accounts as well, at least in some cases. That allows access to extremely sensitive information that companies and sites do not want former employees or consultants seeing or sharing.

Google hasn’t commented on the issue yet, as far as I can tell, and the Google Webmaster Tools blog has not been updated since November 12.

UPDATED 1:03PM:

Google has now released a comment:

“For several hours yesterday a small set of Webmaster Tools accounts were incorrectly re-verified for people who previously had access. We’ve reverted these accounts and are investigating ways to prevent this issue from recurring.”

Meanwhile, Twitter is doing what Twitter does:

photo credit: tashland via photopin cc