Home > News

Google Workspace Accounts Created by Bypassing Verification

By Laura Tucker
Google Workspace Bypass Verification Featured

We all get irritated at times by email verification systems, while also knowing that they keep our accounts and information safe. Imagine the shock, when it turns out criminals bypassed that verification. Google has admitted to fixing an authentication weakness with Workspace accounts, which allowed criminals to bypass email verification.

Google Admits to Compromising Workspace Accounts

This admission stems from a person notifying a cybersecurity blog, explaining that they had received a notice that their email address had been used to create a Workspace account. Google blocked it, as it was potentially malicious.

Google Workspace Accounts Created By Bypassing Verification
Image source: Google

The notice from Google read that they had identified a campaign by cybercriminals that bypassed email verification to create Email Verified Google Workspace accounts via a “specially conducted request.” This allowed the criminals to get access to third-party apps that use “Sign in with Google”.

Google went on to say it fixed the weakness within 72 hours of finding it. It has also added more detection, to hopefully thwart the authentication from being bypassed in the future.

How Cybercriminals Bypassed Email Verification

Director of Abuse and Safety Protections at Google Workspace, Anu Yamunan, told the cybersecurity blog that the criminal activity started in late June, and “a few thousand” Workspace accounts were created without the email verification.

It was important that they find a way to bypass the system, as only Google Workspace accounts that can verify that they have control over the domain name associated with their email address can have access to services that aren’t in the free trial. Before this, none of the domains that were affected had been associated with a Workspace account.

Google Workspace Accounts Created Logos

The cybercriminals used one email address to attempt to sign in and a different one to verify a token. Once the email had been verified, they would sometimes access a third-party service using a Google sign-on.

It’s worth noting, too, that none of the Workspace accounts were used to affect Google services negatively – just impersonate domain holders. The person who contacted the blog said the process was used to associate his domain with a Workspace account. His domain is connected to multiple third-party services, and Google informed him that the unauthorized Workspace account was used to sign in to his account with Dropbox.

It sounds like if you haven’t received a notice from Google about your email, you don’t need to worry about your domain. But you may still become frustrated, knowing that you have to provide email verification when signing in with Google, even though cybercriminals figured out a way to bypass that step. You also may want to check out this Clario review of a cybersecurity app.

Image credit: Unsplash

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Laura Tucker Avatar
Laura Tucker
Laura has spent more than 20 years writing news, reviews, and op-eds, with the majority of those years as an editor as well. She has exclusively used Apple products for the past 35 years. In addition to writing and editing at MTE, she also runs the site’s sponsored review program.

Read next

Octopuses possess roughly 500 million neurons distributed across their body, with two-thirds located in their arms rather than their central brain, meaning each arm can taste, problem-solve, and react to stimuli independently of whatever the octopus is otherwise paying attention to.
Explore the historic Roman bridge in lush Salamanca, Spain captured beautifully in daylight.
The Roman aqueduct at Segovia, built around the first century AD without mortar, still carried water into the 1970s, its 167 granite arches held together by nothing but the precise weight distribution of stones cut to fit each other within fractions of a millimeter.
When the SS Great Eastern laid the first working transatlantic telegraph cable in 1866, a message that had taken ten days by steamship suddenly crossed the ocean in minutes, and the financial markets of London and New York were forced, within a single trading week, to invent the modern concept of synchronised global price.
From below of blue starry sky over radio telescope and trees with leaves
The Big Ear telescope was scanning at 1420.4056 megahertz on the night of 15 August 1977, the exact frequency at which hydrogen atoms vibrate across the universe, because Giuseppe Cocconi and Philip Morrison had argued years earlier that any species trying to be found would broadcast on that channel — and then, for 72 seconds, something did.
In 2016, archaeologists dated two rings of snapped stalagmites in France’s Bruniquel Cave to 176,500 years ago, evidence that Neanderthals had walked 336 metres into darkness with fire and built architecture deep underground long before modern humans reached Europe
Otto von Bismarck was 74 when Germany adopted the world’s first national old-age social insurance program in 1889, setting the pension age at 70 after years of fighting socialists with bans, laws, and a promise few workers would live long enough to use
When cosmonaut Valeri Polyakov stepped out of his Soyuz capsule in March 1995 after 437 consecutive days aboard Mir, doctors recorded him at several centimetres above his pre-flight height, and his spine had become so unaccustomed to gravity that the recovery team carried him to a chair rather than risk the compression of letting him walk.
When Bell Labs engineer Karl Jansky pointed a rotating antenna at the sky in 1932 looking for sources of transatlantic radio static, he kept picking up a faint hiss that peaked every 23 hours and 56 minutes, and he eventually realized he had become the first human to hear the center of the Milky Way.