Hackers managed to expose “a few thousand” accounts by circumventing the verification process on Google Workspace.

Thousands of accounts have been exposed after hackers used existing emails to create Google Workspace accounts and bypassed the verification process.

According to Google, a “specially constructed request” could open a Workspace account without verifying the email. This meant that bad actors only required the email address of their desired target to impersonate them.

While none of the fake accounts were used to abuse Google services, like Gmail or Docs, they were used to access third-party services through the “Sign in with Google” feature.

One impacted user that shared their experience on a Google Cloud Community forum was notified by Google that someone had created a Workspace account with their email without verification and then used it to log into Dropbox.

A Google spokesperson told TechRepublic: “In late June, we swiftly resolved an account abuse issue impacting a small subset of email accounts. We are conducting a thorough analysis, but thus far have found no evidence of additional abuse in the Google ecosystem.”

The verification flaw was limited to “Email Verified” Workspace accounts, so it did not impact other user types, like “Domain Verified” accounts.

Anu Yamunan, director of abuse and safety protections at Google Workspace, told Krebs on Security that malicious activity began in late June and “a few thousand” unverified Workspace accounts were detected. However, commenters on the story and Hacker News claim that attacks actually started in early June

In its message sent to impacted emails, Google said it fixed the vulnerability within 72 hours of it being discovered and that it has since added “additional detection” processes to ensure it cannot be repeated.