Google Workspace password leaked
Description
AlphaSOC detected that a Google Workspace user's password has been identified as leaked. Google monitors known credential dumps and data breaches to identify when user passwords appear in compromised datasets.
Impact
Leaked passwords significantly increase the risk of account takeover. Attackers frequently test leaked credentials against multiple services, and if reused, can gain unauthorized access to email, documents, and other Google Workspace resources. This can lead to business email compromise, data theft, and further attacks against the organization.
Severity
| Severity | Condition |
|---|---|
Medium | Google Workspace password leaked |
Investigation and Remediation
Immediately force a password reset for the affected user. Review the user's recent login activity for signs of unauthorized access. Check for suspicious email forwarding rules, OAuth application grants, or document sharing changes.
Verify the user understands not to reuse passwords across services. Consider implementing password monitoring tools and enforcing multi-factor authentication. Review whether any sensitive data may have been accessed during the exposure period.
Known False Positives
- Password changes may not be immediately reflected in leak databases
- Historical leaks from before the user joined the organization