In late October of 2017, Black Hills Information Security, a security research group, publicly disclosed how a vulnerability in the Google Calendar app was leaving more than a billion users open to a credential-stealing exploit. Scammers were able to exploit the security vulnerability by inviting users to a meeting and including in the invitation or message a malicious link. This malicious link, when opened, allowed scammers to collect credit card, debit card, and back account information. Google’s failed security measures may have compromised your account information. Did you receive a Google Calendar invitation from an unknown source that offered a financial incentive for providing financial or other personal information? If you think your information was stolen, you may be entitled to monetary damages. Please fill out the contact box and one of our experienced data breach attorneys will contact you promptly.
In October of 2017, Black Hills discovered a vulnerability in the Google Calendar app that allowed scammers to inject calendar events into user calendars without even sending a notification email and without requiring users to manually accept the calendar event. Black Hills was able to successfully recreate the process used by scammers to exploit the security vulnerability on the Google Calendar App.
Black Hills dubbed the exploitation of the vulnerability as a “sophisticated scam,” whereby users of the Google Calendar app are being targeted using malicious and unsolicited Google Calendar notifications. The Calendar app is designed such that anyone can schedule a meeting with another user. When the calendar invitation is sent to a user, a pop-up notification appears on their smartphone. The scammers include a malicious link in the invitation and exploit users’ trust of calendar invitations to spam users with phishing links to credential stealing websites. According to a Forbes report, “[b]y populating the location and topic fields to announce a fake online poll or questionnaire with a financial incentive to participate, the threat actors encourage the victim to follow the malicious link where bank account or credit card details can be collected.”
Black Hills notified Google of the vulnerability in early October of 2018. Initially, Google responded by releasing an update to the Calendar app and silently adding an option to disable the functionality of the exploit by changing certain settings. However, Black Hills found a way to bypass the settings and provided Google a step-by-step procedure to do so. Not until June of 2019 did Google respond to a Forbes article detailing the security vulnerability:
Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse. Combating spam is a never-ending battle, and while we’ve made great progress, sometimes spam gets through. We remain deeply committed to protecting all of our users from spam: we scan content on Photos for spam and provide users the ability to report spam in Calendar, Forms, Google Drive, and Google Photos, as well as block spammers from contacting them on Hangouts. In addition, we offer security protections for users by warning them of known malicious URLs via Google Chrome’s Safe Browsing filters.
Google did not acknowledge the specific security vulnerability until September 9, 2019, when a Google employee stated in a post on the Google Calendar Help community forum that “[w]e’re aware of the spam occurring in Calendar and are working diligently to resolve this issue. We’ll post updates to this thread as they become available. Learn how to report and remove spam. Thank you for your patience.”
However, affected Google Calendar users have suffered an ascertainable loss in that they have been duped into providing financial information to scammers because of Google’s lax security measures and must undertake additional security measures, some at their own expense, to minimize the risk of future data breaches including cancelling credit cards and debit cards and changing passwords for accounts. Furthermore, Google Calendar users have no guarantee that the above security measures will in fact adequately protect their personal information. Google Calendar users therefore have an ongoing interest in ensuring that their personal information is protected from past and future cybersecurity threats.
You may have a claim against Google if you use the Google Calendar app and received a suspicious calendar event containing a link to a site and asking for financial information. CONTACT FDAZAR IMMEDIATELY. We will fight to get you the recovery you deserve.
Franklin D. Azar & Associates is well known in the class action community. For over 30 years, our attorneys have protected the rights of individuals who have been taken advantage of by big corporations, and during that time, have secured over $1.5 billion in compensation – including over $750 million from Walmart in a wage and hour dispute that spanned approximately 26 states. FDAzar has been and is involved in class actions and mass tort against other large corporations like Facebook, Google, Marriot, Discover, Toyota, Hewlett Packard, British Petroleum, and 401k providers. Our class action department is staffed with experienced and knowledgeable attorneys who focus on litigating large, complex cases on behalf of consumers, employees and investors who have suffered losses.