Your 'Secure' Cloud Account Was Breached Three Months Ago (You Just Found Out)

The Breach You Might Not Know About

Here's a scenario that happens more often than you'd think: In March, someone uses a password that was leaked in a breach of a different company. They use the same password for your Google Workspace account. An attacker gets that password (probably from a leaked database on the dark web) and tries it on common systems. It works. They log in to your Google account. They poke around. Copy some files. Send a few test emails to see if anyone notices. Nobody does. Why would they? It's your company email. The account activity looks normal. They set up forwarding rules so they see every email that comes in. They're now quietly monitoring your business. This goes on for three months. In June, someone on your team runs a security audit and discovers "unusual login activity" from an IP address they don't recognize. Only then do you realize you've been breached for three months.

Why Breaches Are Hard to Detect

They Look Like Normal Activity — Someone logs in from an unfamiliar location. Could be a compromised account, could be someone traveling. You don't know.

They Happen Slowly — A breach isn't always a dramatic hack where attackers steal everything at once. Often they get access and just sit there. Watching. Collecting information. Setting up long-term access.

You Have No Visibility Into Your Own Systems — Unless you actively monitor login activity, you might not notice unusual patterns. And most small businesses don't actively monitor.

There's No Obvious Damage — If an attacker is just reading your email and copying files, you might not notice anything is wrong. Nothing's broken. Nothing's missing (as far as you can tell).

The Signs Are Subtle — Your email forwarding rules suddenly include a forwarding address you don't recognize. Your cloud storage has an unfamiliar shared folder. Someone changed your phone number for two-factor authentication. These are subtle signs, and you might miss them.

How Breaches Actually Happen

Path 1: Password Reuse — Your employee uses the same password at work and on a personal site. The personal site gets breached. Attackers have the password. They try it on business systems. Bingo.

Path 2: Weak Passwords — Your password is "password123" or "company name + current year." An attacker guesses it. They're in.

Path 3: Phishing — Someone sends an email that looks like it's from your IT department. "Please re-authenticate here." Your employee clicks, enters their credentials. The attacker now has them.

Path 4: Malware on a Device — Your employee downloads something that looks innocuous. It's malware. It logs their keystrokes. Every password they type gets sent to the attacker.

Path 5: Unpatched Software — You're running old versions of software that have known vulnerabilities. An attacker exploits those vulnerabilities and gets access.

Path 6: Social Engineering — Someone calls your company pretending to be from IT. "We need to reset your password for security. What's the current one?" Your employee, trying to be helpful, gives it to them.

The Warning Signs You're Missing

In Your Email System: Unusual login attempts from locations you don't recognize; email forwarding rules you didn't create; recovery email address changed to something unfamiliar; email not being delivered to people who should receive it (forwarding rule redirecting it).

In Your Cloud Storage: Shared folders or files you don't recognize; sharing permissions changed on sensitive documents; files modified on dates you don't remember modifying them; deleted files that you definitely didn't delete.

In Your Systems Generally: Failed login attempts in your access logs (might indicate someone trying passwords); new admin accounts you didn't create; recent password changes you didn't authorize; device activity from locations you don't recognize.

In Your External Interactions: Customers complaining that they received emails they don't recognize from your domain; vendors mentioning unusual requests from your team; your domain being used to send spam (you'll find out when ISPs start blocking your email).

How to Check If You've Been Breached (Right Now)

Step 1: Check Your Google Account (If You Use Google Workspace) — Go to myaccount.google.com/security-checkup. Look at: Recent security events; Active devices and sessions; Account recovery information (email, phone); Connected apps and sites. See anything you don't recognize? That's a warning sign.

Step 2: Check Login Activity — In Google Admin Console, go to Reports > Login & Sign-On Activity. Look at: When people logged in; Where they logged in from (which IP, which city); Which device they used. See logins from locations where you know people weren't? That's suspicious.

Step 3: Check Email Forwarding Rules — In Gmail, go to Settings > Forwarding and POP/IMAP. Do you have any forwarding rules you didn't create? If yes, remove them immediately.

Step 4: Check Cloud Storage Access — In Google Drive, go to Settings > Manage versions for your shared folders. Look for: Sharing settings on sensitive documents; Access by people you don't recognize; Modified timestamps that don't match when you remember modifying the file.

Step 5: Check Your Domain's Email History — Ask your email provider (or check your admin console) for email activity reports. Have there been bulk email sends you didn't authorize? Emails sent to unusual recipients?

What to Do If You Find Something Suspicious

Step 1: Don't Panic, But Do Act Fast — If you find evidence of a breach, assume the worst. Someone has access to your systems.

Step 2: Change Passwords Immediately — For everyone. Not tomorrow. Today. New, strong, unique passwords that nobody else has.

Step 3: Disable Suspicious Accounts — If you found unauthorized email forwarding rules or admin accounts, delete them. Revoke access.

Step 4: Check for Data Loss — Has anyone copied sensitive files? Have files been modified? Deleted? Do a spot check of your most sensitive data.

Step 5: Notify Relevant People — Your team needs to know. Your customers might need to know (depending on what data was exposed). Your insurance provider might need to know.

Step 6: Restore from Backup — If files have been compromised, consider restoring from a clean backup. You want to make sure you don't have malware lingering.

Step 7: Consider Professional Help — If this is serious, hire a security professional or incident response team. They can do a full forensic investigation.

How to Prevent This

Require Strong Passwords — Not "password rules" (those don't work). Actually strong passwords. 16+ characters, mix of types, no pattern. Or better yet, use a password manager and generate random passwords.

Implement Two-Factor Authentication — Require everyone to use two-factor authentication (not SMS if you can avoid it, use an authenticator app). This prevents "password compromise" from being fatal.

Monitor for Suspicious Activity — Set up alerts for unusual login attempts, mass email sends, or new admin accounts.

Educate Your Team — Most breaches come from phishing or password reuse. Train your team to recognize phishing, to use unique passwords, to not share credentials.

Patch Software Regularly — Keep your systems updated. Unpatched software is an open door.

Back Up Your Data — Regular backups mean that even if you get ransomwared, you can restore. Backups should be automated and tested regularly.

Audit Access — Who has access to what? Remove access for people who've left. Use the principle of least privilege (people only have access to what they need).

The Downloadable Resource

We've created a Breach Detection & Prevention Checklist that includes: A step-by-step guide to check for signs of compromise (what to look at, where to find it); a monthly security checklist (things to verify); password security guidelines; two-factor authentication setup instructions; an incident response checklist (what to do if you find evidence of a breach).

Download it here: aiforbusiness.net/resources/breach-detection-checklist

This takes about 90 minutes to work through and can save you months of undetected compromise.

What's Next

Keeping your data secure in the systems you control is important. But a lot of your business knowledge is probably in people's heads. The next article, "That Former Employee Left Behind Code You Can't Maintain. You're Now Stuck," covers the risk of critical business systems that only one person understands.