A security lapse at Google’s VirusTotal platform exposes the names and email addresses of thousands of users, including employees of U.S and German intelligence agencies.
In a shocking security lapse, a file containing the names and email addresses of 5,600 registered users of Google’s VirusTotal platform was unintentionally made public in late June. This incident was first reported by The Standard, a German news outlet, authored by Max Hoppenstedt, Marcel Rosenbach, and Hakan Tanriverdi.
A Popular Tool Among Hackers
VirusTotal is a widely used tool by cybersecurity experts around the world, serving as a massive malware database. Users upload suspicious files or links to this platform for virus detection, helping build a global repository of digital attack tools. However, its users are not limited to security experts, as the platform also finds favor among hackers and intelligence agencies.
The Leaked Data
The leaked file, although small at 313 kilobytes, contained significant details. Names of employees from the U.S National Security Agency (NSA) and German intelligence agencies, among others, were included in the list. The Standard and the German magazine Der Spiegel independently verified the list’s authenticity.
The list of compromised users included 20 accounts linked to the “Cyber Command” of the U.S, part of the American military responsible for both offensive and defensive hacking operations. Other notable entities in the list include the U.S Justice Department, the Federal Bureau of Investigation (FBI), and intelligence agencies from countries such as the Netherlands, Taiwan, and the U.K.
From Austria, the affected organizations are the Federal Ministry for National Defense and the Interior Ministry. The list also included three employees from Germany’s Federal Office for Information Security (BSI), and several employees from German corporations. The leaked information presents opportunities for malicious activities like social engineering and targeted phishing attacks.
Google’s Response
Google, known for its robust defense against hacker attacks, owns VirusTotal. A spokesperson from Google Cloud revealed that a VirusTotal employee had “unintentionally made a small part” of the customer data accessible. She added that they removed the list from the platform within an hour of the upload and are working to enhance internal processes and technical controls to prevent similar incidents in the future.
A Double-Edged Sword
While the leak has raised eyebrows given Google’s reputation for data security, it also highlights the inherent risks of using such platforms. VirusTotal can inadvertently become a source of critical information leaks. For instance, in 2022, an email from the German Association for Mechanical Engineers (VDMA), which contained a link to an interior ministry web portal and its corresponding password, was temporarily available on the platform.
In another ironic twist, hackers often use VirusTotal to ensure their espionage software is undetectable by antivirus manufacturers. As such, VirusTotal simultaneously aids those it is intended to protect and those it seeks to neutralize.
Post-Leak Reactions
In response to the leak, the BSI confirmed that they believed the data to be authentic. However, they saw no critical risk for their affected employees. They reiterated their advice to federal agencies not to upload files to VirusTotal, citing the explicit consent to third-party data sharing in the platform’s terms of service.
