Attention site owners: former employees, consultants, or contractors may now have access to your Google Webmaster Tools and Analytics accounts. A Google security flaw has restored access to users who no longer should have that access.
As David Naylor explained:
From initial glance at our WMT’s accounts we now have regained access to every old account we have previously been given access to, whether that is a previous client or maybe a site that came to us for some short term consultancy. … Now that WMT is so much more powerful than it ever was there is a serious risk that damage could be caused to sites by people who no longer have permission to make changes. Things like disavow link lists, deindex urls or the entire site, redirect urls, geolocation alterations .. a whole world of pain.
If you haven’t yet, go check your Google Webmaster Tools account and turn off access to any users who have been mysteriously reverified by Google today.
Reports of the security issue began trickling in this afternoon, and are now all over Twitter. Clients and SEOs this afternoon began noticing that an old agency or former employee suddenly was a verified owner – despite their access to Webmaster Tools being turned off in some cases for longer than a year.
Most of the reports seem to be related only to Google Webmaster Tools, aside from Naylor’s report about Google Analytics.
One noteworthy example comes from Dennis Goedegebuure, the former SEO director at eBay, who today discovered he had had access to eBay’s GWT account, even though he hasn’t worked there for 15 months, the Next Web reported.
Hopefully Google will address this issue quickly, as there is definite potential for site owners to be harmed.
UPDATE: Google says the problem is now fixed. “For several hours yesterday a small set of Webmaster Tools accounts were incorrectly re-verified for people who previously had access. We’ve reverted these accounts and are investigating ways to prevent this issue from recurring.”