Data leak in a small community group

Security incidents are not rare, and they're only getting more common as attackers get access to AI and use it to automate things they would previously have had to do manually. We've just had a security incident in a community group (80ish people) that I'm a member of, and I wanted to share what happened, and what we could have done differently, because this could happen to your groups too!

The overall impact of the incident was a data leak of most of the members' names, email addresses, and telephone numbers, a little bit of spam in our WhatsApp group, and probably also a leak of the access codes to the car park at our venue.

What happened?

The group meets every week, and a few days before each meeting the leadership team send out an email detailing what we're going to be doing that week, and addressing any administrative matters that we need to take care of. We use a Google groups mailing list as the recipient of this email, so that members can manage their own subscriptions. From way back when, we also make any emails sent to this mailing list searchable online, so that members who don't want to subscribe to the mailing list can also read the details of the upcoming meeting.

A few weeks ago, we held a group weekend away together. This was managed by a shared Google Docs spreadsheet, into which member put their email addresses, availability, choice of activities, dietary requirements, lift-share details, etc. Dietary requirements sometimes including medical information, e.g. diabetes. Lift-share details sometimes included pick-up and drop-off locations, at suburb, street, or even address level. This sheet was accessible to anyone who had the link. The link was shared on the mailing list so that all members could sign up for the weekend away.

A few months ago we also launched a WhatsApp community, to unify the various group chats that had sprung up and to have a new official channel for more rapid comms than the mailing list. The invitation for this WhatsApp community was shared on the mailing list.

The leak

The first sign that someone had gone wrong was some US numbers joining our community. Initially no big deal; we have some international members so we don't need everyone to have a UK number. But yesterday one of them started some crypto investment spam, and we deleted and blocked them, and began to question who they actually were and why they were here.

We then realised that they must have come via the mailing list making the WhatsApp group join link publicly visible, and it had been scraped by some bots. These bots would have had access to the weekend away spreadsheet too, and so now had a list of members names and email addresses, sometimes with physical addresses and medical conditions. By joining the WhatsApp group, the bot would also have had access to the phone numbers people were using with WhatsApp, often also linked to their names.

Fixes and remediations

This is what we have done or could have done as a group to avoid this issue:

1. Block the intruding bots, delete the spam. First and most obvious action, but doesn't resolve anything, just tidies up the symptoms.
2. Remove the mailing list emails archive, and stop new messages to the mailing list being publicly visible. This removes what we think was the root cause of this incident. We'll need to check if we still have any members who can't receive updates via either the mailing list or via the WhatsApp group.
3. Use better access control on the weekend away spreadsheet. Don't make it accessible to anyone who has the link, but instead limit it to known Google accounts of group members. This would have prevented the data leak of (some) names, email addresses, addresses and medical information.
4. Don't allow people to join the WhatsApp group just via the invite link, but instead require an admin to approve each join request, ideally after confirming with that person physically at one of our weekly meetings. This would have reduced the chance of someone being able to join the group and spamming and acquiring the members' phone numbers.
5. Switch to a more secure messaging platform such as Signal, which doesn't expose group members' phone numbers to other members (assuming users have configured it correctly). This would mean that even if someone did join our group, members' phone numbers would not be exposed.

Finally, myself and one other member had used a masked email in the weekend away spreadsheet, which means that our two email addresses were not leaked. This isn't something we can do for all of our group members, but is something they can sort out themselves using a service like SimpleLogin or MaskMail.