The Japanese game developer ateam Entertainment has recently discovered that a simple configuration error on Google Drive could potentially lead to the unauthorized disclosure of confidential information of nearly a million individuals. The Japanese company is well-known for creating mobile games and applications.
On November 21, 2023, ateam informed its users, employees, and business partners about their discovery. According to the company, the incorrect configuration had been in place since March 2017, allowing anyone to access their files on Google Drive without entering a Google account.
In the unsafe copy of Google Drive, there were 1,369 files containing personal information about ATEAM customers, business partners, current and former employees, as well as interns and job applicants. A total of 935,779 individuals had their data exposed, with customers accounting for 98.9% of those affected.
An analysis of the exposed data reveals that the specific information compromised differs depending on the individual’s relationship with the company. The following details may have been exposed:
- Complete names
- Email addresses
- Phone numbers
- Client numbers
- Identification numbers of the terminal (device)
Although no specific evidence has been found to suggest that the exposed information was stolen by attackers, ateam Entertainment urges affected individuals to remain vigilant against unwanted and suspicious messages.
It is worth noting that enabling the “Everything on the Internet” setting for a Google Drive file makes it accessible only to those with the exact URL. This feature is typically used for collaboration on non-confidential data among individuals. However, if an employee or user shares the link publicly, it can be indexed by search engines and become publicly available.
While it is unlikely that someone would independently stumble upon the open URL of the Google Drive files, this incident highlights the importance of properly securing cloud services to prevent inadvertent data disclosure.