Apr 28, 2023
Passwords being shared across accounts
I have a security breach to raise.
Consider the following situation:
- Three people A, B and C all have individual google accounts.
- There is a fourth account , X, which is accessible to all three of them. This account, X, is used to administer a sports club where all three people may wish to sent/receive emails about the sports club administration.
What has happened is that password information from accounts A and B (stored in password manager) has found it's way into the password manager of account C. Thus all private password information from these accounts is now accessible from the other account.
This appears to be a serious security issue.
Does anyone recognise this scenario? Can it be recovered?
Informational notification.
This question is locked and replying has been disabled.
Community content may not be verified or up-to-date. Learn more.
Apr 28, 2023
Adding to Rupert's advice, I suspect that they were sharing a Chrome profile to sign in. That can cause the offline profile data to be merged between accounts, either because someone signs in while another account is signed to Chrome sync, or because they sign in to Chrome sync without creating a new profile.
Diamond Product Expert Rupert recommended this
All Replies (2)
Welcome to the Google Account support community. This sounds pretty complex, and perhaps needs further info and clarification to understand what has occured here. However, Google accounts are not designed or intended to be shared between different people, and this may be the root, or cause of the issue you are having now. Doing so can cause problems with security blocks, and locks for suspicious behaviour on the account.
Google do provide various tools to allow you to share access to various content and services on free Google accounts, such as Gmail Delegation: https://support.google.com/mail/answer/138350
Sharing of Google Drive folders, and Photos can also be done without requiring everyone to be logging in to the account.
Ideally, if using Google professionally in business, it can be much better to pay for the professional workspace' version of Google. As that does allow changes of who owns the accounts. More details on Workspace here: https://workspace.google.com/faq/
Back to the issue with what you consider to be a security breach. Is it possible that any of these people have used the same device to login with? Depending where this is done, this can lead to things like contacts being combined or shared between account.
Also a possibility is that they were not using an account with an @gmail.com address, and this can cause various problems if they do login to an account with an @gmail.com address when they have not logged out of their original account.
Adding to Rupert's advice, I suspect that they were sharing a Chrome profile to sign in. That can cause the offline profile data to be merged between accounts, either because someone signs in while another account is signed to Chrome sync, or because they sign in to Chrome sync without creating a new profile.
Diamond Product Expert Rupert recommended this
This link about signing into multiple accounts may be useful to understand. Particularly the sections about being signed into multiple accounts and browser/device default accounts. https://support.google.com/accounts/answer/1721977
Perhaps more importantly regarding this being a Google security issue:
https://policies.google.com/terms
Having shared the account login details between at least 3 people, then Google could well argue that reasonable steps weren't taken, which is why this password data has leaked/synched between the involved accounts.
bkennelly will hopefully provide further information regarding Chrome Sync, and how to prevent this, and advise if this merge of data can be reversed.
Last edited May 1, 2023
May 1, 2023
Confusing data from different people most often happens in two ways:
- If Chrome is already signed in to one account, and set to save passwords, when another person uses it to sign in to their account. The password is saved in the signed-in account.
- If Chrome was previously used with one account and had the passwords saved, but the profile data was not deleted, and someone signs in to Chrome with a different account, the data will be merged. (There is a warning pop-up in this case.)
Chrome has a warning against signing in to Sync on shared devices and the above-mentioned warning about signing in to sync with existing user data.
A shared device is the most likely explanation here, but it could also have resulted from the users synchronising account X without creating a separate profile. (In the latter case, the passwords will also be in account X.)
The only recovery would be for each of the users to change their passwords and to be more careful about synchronising. Don't share Chrome profiles and, most of all, as Rupert emphasized, is to stop sharing account credentials, and use delegation to share the common account.