Google's publicly available anti-phishing blacklist contained confidential information that could have been used for identity theft, but any private data has been removed, a security firm reported Monday.
The site consists of thousands of fraudulent URLs reported to Google’s anti-phishing tool.
But as recent as the beginning of this month, some of those domains submitted by users included usernames, passwords and other confidential information, web-security vendor Finjan said in a news release.
"After examining the data provided in these files, Finjan found that sensitive user information was available on the web with no access protection, including emails, usernames, passwords and session tokens that could be used by hackers to compromise users’ privacy," said Yuval Ben-Itzhak, CTO of Finjan.
A Google spokesman told SCMagazine.com today that about 15 users were affected.
"We have removed this information from URLs in the blacklist and created a process whereby this information is automatically stripped from future URLs submitted by users," spokesman Barry Schnitt said. "In addition, we notified the users who inadvertently disclosed this information and suggested that they reset associated passwords."
To prevent similar future incidents, Finjan recommends users employ different usernames and passwords for sites they visit and disable URL sharing and forwarding functions.
This latest breach brings to mind an incident last summer in which AOL exposed millions of search queries, many containing personally identifiable information, on a public research website.
Click here to email reporter Dan Kaplan.