It is used by millions of people on the Internet every day. Now, it is also used with increasing frequency by hackers seeking sensitive data like Social Security numbers: a Google search.
A recent data breach at Yale University marks the latest example of a security flaw exposed by "Google hacking," which involves querying the popular search engine for website vulnerabilities. For 10 months, names and Social Security numbers belonging to 43,000 people affiliated with Yale were visible through a Google search, the Yale Daily News reported last week.
On Monday, the security firm Identity Finder said it found 300,000 names and Social Security numbers of California residents who applied for workers' compensation benefits by searching Google for common keywords. And in June, an Australian security consultant said the customer database of Groupon's India subsidiary was also visible through a Google search.
"This is happening more and more frequently," said Francis Brown, managing partner at the IT consulting firm Stach and Liu.
Google hacking has been around for a few years, but has recently become easier as Google indexes greater quantities of information, Brown said. While less than 11 million PDF documents were searchable in Google in 2004, there are now 513 million, Brown said.
"Google is so much better at indexing now," Brown said, so hackers "have a better chance of finding interesting things."
The hacker group LulzSec, which has claimed responsibility for hacking Sony, Citigroup, the CIA and the U.S. Senate, has been picking its targets "purely based on whatever they find with their 'google hacking' queries," a group calling itself the "A-Team" claimed in June.
Yale officials said the data, which did not include addresses, birth dates or financial information, was housed on a file transfer protocol (FTP) server. The breach occurred because they were unaware that Google had changed its search engine last fall to find and index such servers, the university's IT director told the Yale Daily News.
Neither Google nor Yale returned requests for comment. But Brown said it was Yale's responsibility to monitor its own security. There is no way for Google to determine whether sensitive data can be exposed in a search result given the vast amount of websites the search engine indexes, he said.
"While Google is making it easier for attackers to identity vulnerabilities, they're not responsible for those vulnerabilities existing to begin with," Brown said.
Google hackers type lines of code into search engines to target vulnerabilities in specific types of software, not institutions, Brown said. At the Black Hat security conference in Las Vegas earlier this month, Brown unveiled tools his firm created to help companies quickly locate their own security flaws through search engines.
The Yale file made public mostly contained the personal information of people who worked for the university in 1999, school officials said. This raises the question of why the university was still storing Social Security numbers belonging to people who may have left the university, according to Paul Stephens, director of policy and advocacy at Privacy Rights Clearinghouse.
"Is it necessary for those Social Security numbers to be retained? It would seem to me that it's not and so that data should be purged," Stephens said.
The breach at Yale was the latest in a string of security lapses at colleges and universities. On Aug. 10, University of Wisconsin-Milwaukee officials sent letters to about 75,000 current and former students notifying them that a data breach may have exposed their personal information, including Social Security numbers. The cause of the breach was malware, not Google hacking, officials said. Then last week, Purdue University officials notified more than 7,000 former Purdue students that hackers breached a server containing their personal data, including Social Security numbers. The cause of the breach was not given.
Mark Rotenberg, executive director of the Electronic Privacy Information Center, predicted recent security failures would continue as long as there are no incentives for institutions to protect the growing amounts of sensitive information they collect.
"Universities have gone on a binge gathering data without thinking carefully about security practice," Rotenberg said. "We think that puts individuals at risk."