Application security

Google removes personal information from anti-phishing blacklist


Google's publicly available anti-phishing blacklist contained confidential information that could have been used for identity theft, but any private data has been removed, a security firm reported Monday.

The site consists of thousands of fraudulent URLs reported to Google’s anti-phishing tool.

But as recent as the beginning of this month, some of those domains submitted by users included usernames, passwords and other confidential information, web-security vendor Finjan said in a news release.

"After examining the data provided in these files, Finjan found that sensitive user information was available on the web with no access protection, including emails, usernames, passwords and session tokens that could be used by hackers to compromise users’ privacy," said Yuval Ben-Itzhak, CTO of Finjan.

A Google spokesman told today that about 15 users were affected.

"We have removed this information from URLs in the blacklist and created a process whereby this information is automatically stripped from future URLs submitted by users," spokesman Barry Schnitt said. "In addition, we notified the users who inadvertently disclosed this information and suggested that they reset associated passwords."

To prevent similar future incidents, Finjan recommends users employ different usernames and passwords for sites they visit and disable URL sharing and forwarding functions.

This latest breach brings to mind an incident last summer in which AOL exposed millions of search queries, many containing personally identifiable information, on a public research website.

Click here to email reporter Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.