Updated: Google Webmaster Tools Security Bug Re-Opens Access To Old Accounts [Now Fixed]

google-webmaster-tools-logoA security bug in Google Webmaster Tools has given users access to old accounts and websites that they’re no longer supposed to be able to access.

The problem was discovered Tuesday and reported on several SEO blogs and news outlets — including (first, I believe) by Dave Naylor — and was discussed pretty heavily by search marketers on Twitter. We asked Google late Tuesday afternoon to comment on the bug reports, but have not received a reply.

What’s happening in some, not all, Webmaster Tools accounts is that users are finding themselves with sudden access to accounts that they once had access to, but no longer do; i.e., former clients, employers and the like. That bug is presumably giving a lot of power to individuals that shouldn’t have it — power to deindex, disavow links, unverify the current/legitimate webmaster’s access, and even redirect sites to other verified domains in the user’s account. It also reveals a lot of link, search, index/crawl and other data to users that shouldn’t be able to see those things.

The bug isn’t affecting my Webmaster Tools account, so here’s a screenshot from Dave Naylor’s account showing several verification changes that re-opened access to old accounts/websites.


There are reports that the same (or a similar) bug is affecting Google Analytics, and State of Search reported that some blocked connections in Google Talk have also been unblocked.

This is a serious problem and Google’s silence on it so far suggests that they’re still trying to sort out what’s happening and why — and how to fix it.

Postscript: Google has fixed the issue this morning, several hours after the breach. Here is the statement they sent us:

For several hours yesterday a small set of Webmaster Tools accounts were incorrectly re-verified for people who previously had access. We’ve reverted these accounts and are investigating ways to prevent this issue from recurring.

Google also tells us that, despite reports from users, Google Analytics was not impacted.

Related Topics: Channel: SEO | Google: Webmaster Central | Top News


About The Author: is Editor-In-Chief of Search Engine Land. His news career includes time spent in TV, radio, and print journalism. His web career continues to include a small number of SEO and social media consulting clients, as well as regular speaking engagements at marketing events around the U.S. He recently launched a site dedicated to Google Glass called Glass Almanac and also blogs at Small Business Search Marketing. Matt can be found on Twitter at @MattMcGee and/or on Google Plus. You can read Matt's disclosures on his personal blog.

Connect with the author via: Email | Twitter | Google+ | LinkedIn


Get all the top search stories emailed daily!  


Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. Comments may also be removed if they are posted from anonymous accounts. You can read more about our comments policy here.
  • http://lostpr.es/ David Iwanow

    Hmmm… i’ve checked several accounts and seen nothing but might be linked to something else such as how they originally verified… with more than a few options for verification it’s easy to see a bug appearing at some point DNS/GA/HTML/META?

  • daveintheuk

    Once again shows their arrogance by refusing to comment, or take down the affected systems.

    I can’t think of any other company that would act like this, especially when the stakes for companies affected are potentially so high (competitors gaining access to critical business systems). I hope some of those affected take Google to court.

  • A1 Brandz

    I have not noticed any such thing but if this is true then it is the matter of great concern and Google should act swiftly before anything undesired happens.


  • http://twitter.com/kittuk Aakanksha

    Yes, I noticed this issue about 3 hrs ago & quickly acted upon it. However, I didnt know it was a security error from Google’s end.

  • Matt McGee

    I also thought it might be related to how verification was done, David, but if you look at Dave Naylor’s screenshot closely, he appears to have access to accounts that were verified in different ways.

  • http://twitter.com/a2zsem a2zsem

    Yes, I Notices this issue just before 30 min for one of my clients’s website.i thought previous seo company added .. but it’s from google.. Google need to solve this as soon as possible

  • http://www.facebook.com/the.nathaniel.bailey Nathaniel Bailey

    Wow google fixed that sooner then I thought they would! Good on em for getting on with fixing it in such a timely manner :)

    I had read that people were reporting analytics had the same issue, is google saying this is not true correct? We only noticed the bug for a couple of old account on WMT but nothing in analytics, so I would guess its true, but wondered if anyone had screenshots to say other wise?

Get Our News, Everywhere!

Daily Email:

Follow Search Engine Land on Twitter @sengineland Like Search Engine Land on Facebook Follow Search Engine Land on Google+ Get the Search Engine Land Feed Connect with Search Engine Land on LinkedIn Check out our Tumblr! See us on Pinterest


Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States


Australia & China

Learn more about: SMX | MarTech

Free Daily Search News Recap!

SearchCap is a once-per-day newsletter update - sign up below and get the news delivered to you!



Search Engine Land Periodic Table of SEO Success Factors

Get Your Copy
Read The Full SEO Guide