Employees of defunct startups face a significant security threat: hackers are exploiting expired company domains to hijack “Sign in with Google” sessions. This vulnerability allows attackers to gain unauthorized access to sensitive cloud-based platforms, including Slack, Notion, Zoom, and HR systems containing Social Security numbers and banking details.
The Anatomy of the Attack
Security researcher Dylan Ayrey, co-founder of Truffle Security, uncovered the flaw while investigating Google OAuth configurations. The attack vector is deceptively simple: once a startup fails, its domain often expires and becomes available for purchase. By acquiring these domains, malicious actors can recreate former employee email addresses.
Using these controlled emails, hackers can trigger the “Sign in with Google” feature on various SaaS applications that were previously connected to the company’s workspace. Because many cloud platforms allow broad access to all employees, an attacker can pivot from a simple chat app login to sensitive HR databases.
“That’s probably the biggest threat,” Ayrey noted. Data from HR systems is highly lucrative, making sensitive personal information like Social Security numbers a primary target for monetization.
Why Startups Are Uniquely Vulnerable
Ayrey estimates that tens of thousands of former employees and millions of SaaS accounts are at risk, based on his discovery of over 116,000 domains currently available for purchase from failed tech ventures. Startups are disproportionately affected due to their heavy reliance on a fragmented ecosystem of cloud software and Google Workspace integrations.
The Limitations of Existing Defenses
Google offers a security feature known as a “sub-identifier”—a unique string of numbers tied to a specific Google account—designed to prevent this exact type of session hijacking. When properly implemented by a SaaS provider, this identifier ensures that even if an email address is recreated, the account remains inaccessible to unauthorized users.
However, implementation remains inconsistent. Ayrey discovered that some HR providers avoid using sub-identifiers because they occasionally trigger false positives, locking legitimate users out of their accounts. While Google disputes that these identifiers are unreliable, the real-world friction prevents widespread adoption.
Google’s Evolving Response
Google’s stance on the vulnerability has shifted over time. Initially, the company dismissed the report, classifying the issue as a “fraud” matter rather than a technical bug. However, following a presentation at the ShmooCon security conference, Google reopened the ticket and awarded Ayrey a $1,337 bounty.
Currently, Google has not released a technical patch for the flaw. Instead, the company has updated its official documentation to urge cloud providers to enforce sub-identifier usage and provided guidelines for founders on properly decommissioning Google Workspace.
Ayrey acknowledges that the burden often falls on founders during the chaotic process of shutting down a business. “When the founder has to deal with shutting the company down, they’re probably not in a great head space to be able to think about all the things they need to be thinking about,” he said.