On July 4, files of users of the Google Docs service appeared in Yandex search results. Many of them contained confidential information – users clearly did not expect their documents to be in the public domain.
The loophole was quickly eliminated: on the night of July 5, Yandex removed links to Google Docs documents from the search. However, in a couple of hours, users managed to find a lot of interesting things. For example, a file with instructions for hiring employees at Tinkoff Bank. It does not recommend hiring gays, Caucasians and FSB officers.
What happened?
It is not clear how the data leak occurred and why the entire array of documents ended up in search results right now. Yandex explained that their search engine “indexes only the open part of the Internet – those pages that are available when clicking on links without entering a username and password.” This happens automatically: Yandex search robots bypass all pages on the Internet that are not denied access, and then the search engine provides links to these pages at the appropriate user requests.
Google also admits guilt: they say that only those documents that were not protected by privacy settings were in the public domain. That is, in fact, these are pages open to the entire Internet. And users were warned about this in the User Agreement, which usually no one reads.
Themselves to blame
Group IB specialists (specializes in cybersecurity) believe that the situation with Google Docs cannot be called a leak of confidential data.
“This is user negligence… When you create a file in Google Docs, you have several options for choosing access to it. If you have a checkmark next to “publicly available for search and viewing” in your settings, your file may be indexed by search engines. Google warns users that searches will be possible. “Yandex” also does not violate anything,” the experts said.
Kaspersky Lab also believes that services should not be blamed for what happened. According to the representative of the company Yuri Namestnikov, users should not set access settings to “available to everyone” in order not to get into such a situation.
What should users do?
So, in Google Docs there are access settings.
They have three levels:
- for everyone on the internet
- for anyone with a link
- for selected users.
Documents with the settings “for everyone on the Internet” and “for everyone with a link” are not protected from public access and, accordingly, may appear in search results.
Therefore, if you want your document to be read and edited only by you and a limited circle of people (colleagues, friends, relatives), you must select the option “only available to those to whom you send an invitation.”
Security experts also recommend storing documents in cloud services, archiving files in advance – modern archiving programs allow you to encrypt data. This is an additional serious protection for confidential documents.