A security researcher who worked on a security hole in Google’s open-source operating system has released a report saying he believes the company’s cloud-based security system was breached in a massive attack that compromised over 700million records.
The security flaw, disclosed last week by the researcher, is believed to be related to Google’s Google Cloud Security service.
“Google Cloud Security was compromised in an exploit that exploited a vulnerability in Google Cloud Services to compromise over 700m Google Cloud credentials,” the researcher wrote.
The report also said a “highly sophisticated” attack on the service has been observed in the wild, and the attack could take weeks to recover.
The exploit was able to gain access to accounts that had been locked by Google for six months or more.
The researcher has also revealed how the exploit works and where it may have originated from.
Google’s Cloud Security is one of the largest and most widely used security software in the world.
It is used by the likes of Facebook, Apple and Microsoft, and also operates in more private organisations such as healthcare organisations.
Google says it patched the bug last year, and that it was not able to recover any sensitive data.
It has not confirmed whether the data was compromised or not.
The vulnerability was discovered by the software researcher Timo Sørensen in June, and then published by the security research company Elastix last week.
In the report, Mr Søensen writes that he was able “to get into an entire list of Google Cloud services” that was being used by an unnamed customer in Germany.
“My research also showed that my exploits were able to breach the security of several Google products, including Gmail, Chrome, Google Calendar, YouTube, Maps, Calendar and Play Store,” Mr Söensen wrote.
“This included the Gmail and Google Calendar products, and of course Google Play Store, which has the most sensitive data in the Google Cloud.”
Google did not respond to requests for comment.
The Elastixed blog post said Mr Sogensen said he was “a Google security researcher and developer”.
He has been in contact with Google and has provided information to help them understand what happened.
“The company has taken immediate steps to address the issue,” the blog post continued.
“Unfortunately, the details we have shared in this post are still very limited and may change.”
However, we have received reports from Google that a very small number of accounts have been compromised, and it is unlikely that any more accounts have now been compromised.
“In any case, the information we have published has already been used by hackers to commit data theft in the past, and we hope that this time it is not just an isolated incident.”
The researcher said he did not find any proof of an attack against the company itself.
But Mr Sogan said that Google had not been forthcoming with the information.
“It is still not clear whether Google has notified us that it has found a vulnerability and is fixing it,” he wrote.
He said he had contacted Google twice in the last week to request more information about the attack and received a response that was “extremely vague”.
He said Google’s response was “really disappointing”.
“If they can’t explain how and when they discovered the flaw, how did they discover the flaw in the first place?”
He also said that while he had not personally been affected by the vulnerability, he was concerned about the impact it could have on other researchers.
“I’m also concerned that other researchers who have been following the progress of this vulnerability for some time will also be affected,” he added.
Mr Sogan’s report comes after an attack on Microsoft’s Windows operating system was also reported by Elastikix, which said a hacker had breached a Microsoft cloud-services server, stole data from the service and was able, by a combination of brute force and remote code execution, to obtain more than 800 million credentials.
It was not immediately clear if the information had been used in an attack.
Microsoft did not immediately respond to a request for comment about Mr Soggensen’s findings.
In addition to the security breach, Google said it was also in the process of updating its security software, but it would not say how many records had been affected.
Security researcher Tim Sødensen said he discovered a “very small number” of Google accounts were compromised.
He published a report in June that alleged that the company had been hacked by a hacker who stole data and credentials from a large number of services in the cloud.
Google released a patch for the vulnerability last year.