Google Blacklist Contained Confidential Information

Internet security firm Finjan will confirm on Monday that Google’s much-discussed anti-phishing blacklist contained confidential usernames and passwords of individuals, including credentials for accounts at banks and other financial institutions. See the screen shot below for an example – click for a larger view.

Google’s current anti-phishing blacklist, which has no access protection, is here. It’s It used by the Google Safe Browsing for Firefox extension which is now part of the Google Toolbar for Firefox, according to Michael Sutton, who has spent some time analyzing it.

Google has not publicly discussed the error, although they quietly removed the offending data. They have, however, acknowledged it in email correspondence with Finjan, which was forwarded to me. Google has since removed the confidential data.

This is nowhere near as serious an issue as the AOL search data released in August 2006. However, a public statement by Google on the issue is warranted, along with confirmation that they have attempted to contact the affected individuals.