Workplace Apps Collect Extensive User Data, Raising Privacy and Security Concerns A recent study by Incogni, analyzing data from the Google Play Store as of March 20, 2026, reveals that ten widely used workplace apps including Gmail, Microsoft Teams, Zoom Workplace, Slack, and Notion collect an average of 19 data points per app, with some sharing sensitive information with third parties. These apps, cumulatively downloaded over 12.5 billion times, are integral to U.S. corporate operations but pose significant privacy and security risks. Data Collection and Sharing Practices Gmail leads in data harvesting, collecting 26 distinct data types, including approximate location, app interactions, and user IDs for advertising. Microsoft Teams and Zoom Workplace follow closely, with 25 and 23 data types, respectively both uniquely gathering precise location data. Six of the ten apps, including Slack, Notion, and Zoom Workplace, use collected data for marketing, with Slack, Todoist, and Notion specifically harvesting employee email addresses for this purpose. Notion stands out for its outbound data flow, sharing eight data types such as email addresses, names, and device IDs with third parties, including advertising partners. The app’s privacy policy permits tracking tools on user browsers, raising concerns over the exposure of sensitive workspace content like HR records and client data. Regulatory scrutiny has intensified, particularly after the EU’s Data Protection Board tightened GDPR requirements in December 2024 regarding personal data use in AI training, directly impacting Notion’s third-party model integrations. Security Vulnerabilities and Breach History Most apps in the study have a history of breaches. In January 2026, a 96-gigabyte database containing 149 million login credentials 48 million tied to Gmail was exposed, attributed to infostealer malware on user devices. Slack suffered a November 2025 breach where attackers used stolen credentials to access accounts of over 17,000 Nikkei employees, exposing names, emails, and chat histories. Trello, Zoom, and Microsoft products have also faced incidents, with Trello data appearing for sale in January 2024. Workday is the only app in the analysis without a user data deletion option, despite holding employment records and payroll details. In August 2025, the platform confirmed two breaches linked to its Salesforce CRM, where attackers obtained business contact information as part of a ShinyHunters social engineering campaign. BYOD Risks and Platform Disparities Many employees install these apps on personal devices, exposing contact details, financial data, and location information to advertising networks or corporate administrators. Slack, for example, lacks end-to-end encryption, allowing workspace owners to access direct messages and private channels. While the study focuses on Google Play data, Incogni notes that iOS disclosures may differ, though past comparisons suggest similar privacy practices across platforms. The findings highlight the trade-offs between workplace productivity and data exposure, with recurring breaches and extensive tracking underscoring the risks of integrating these tools into daily operations.

Microsoft Uncovers Sophisticated Phishing Campaigns Abusing OAuth 2.0 Redirects Microsoft has identified a series of phishing attacks targeting government and public-sector organizations by exploiting OAuth 2.0’s redirection features in Microsoft Entra ID and Google Workspace. Unlike traditional credential theft, these campaigns bypass email filters by weaponizing trusted authentication protocols to deliver malware. ### Attack Mechanics Threat actors register malicious apps in their tenant, configuring redirect URIs to point to phishing or malware-hosting domains. Phishing emails disguised as e-signature requests, Teams invites, or password resets lure victims into clicking links that trigger a silent OAuth flow. By manipulating parameters like `prompt=none` and `scope=invalid`, attackers force error redirects without user interaction, masking malicious URLs from scanners. The `state` parameter encodes the victim’s email in Base64, hex, or custom schemes, auto-populating phishing pages for realism. Once clicked, victims are redirected to tools like EvilProxy for session hijacking or prompted to download a ZIP file containing a malicious LNK file. This executes PowerShell for host reconnaissance, then sideloads `crashhandler.dll` via a legitimate `steam_monitor.exe` process to establish command-and-control (C2) communication. ### Detection & Indicators The attack does not exploit vulnerabilities but abuses OAuth 2.0 protocol behavior as outlined in RFC 6749/9700. Key indicators include: - URL Parameters: `prompt=none`, `scope=invalid` (triggers silent redirects) - File Artifacts: `steam_monitor.exe`, `crashhandler.dll`, `crashlog.dat` (DLL sideloading) - Defender Signatures: `Trojan:Win32/Malgent`, `Trojan:Win32/Znyonm`, `Trojan:Win32/WinLNK` - Error Codes: `65001`, `error=interaction_required` (failed SSO, successful redirect) ### Mitigation Strategies Microsoft recommends OAuth governance over patching, including: - App Audits: Regularly review overprivileged OAuth applications. - Access Controls: Enforce Conditional Access and identity protection. - Telemetry & Hunting: Use XDR for cross-signal correlation, flagging anomalies like PowerShell execution from LNK files or DLL sideloading. The campaign underscores the growing trend of protocol abuse in phishing, where attackers leverage legitimate features to evade detection.

ShinyHunters Gang Behind Vishing Attacks Targeting SSO Accounts at Okta, Microsoft, and Google The extortion group ShinyHunters has claimed responsibility for a series of voice phishing (vishing) attacks targeting single sign-on (SSO) accounts at Okta, Microsoft Entra, and Google, enabling threat actors to breach corporate SaaS platforms and steal data for extortion. In these attacks, cybercriminals impersonate IT support staff, calling employees and tricking them into entering credentials and multi-factor authentication (MFA) codes on phishing sites mimicking legitimate login portals. Once compromised, the attackers gain access to the victim’s SSO account, which often serves as a gateway to connected enterprise applications, including Salesforce, Microsoft 365, Google Workspace, Dropbox, Slack, and Atlassian. The phishing kits used in these attacks feature real-time control panels, allowing attackers to dynamically adjust phishing pages during calls prompting victims to approve MFA requests or enter one-time codes as needed. Okta confirmed the use of such kits in a recent report, though it declined to comment on the breaches themselves. ShinyHunters told BleepingComputer that it is behind some of the attacks, with Salesforce as its primary target, though other platforms are also exploited. The group leverages stolen employee data including phone numbers, job titles, and names from previous breaches to make social engineering calls more convincing. Recent victims listed on ShinyHunters’ Tor data leak site include SoundCloud, Betterment, and Crunchbase. While SoundCloud and Betterment had previously disclosed breaches, Crunchbase confirmed a new incident involving data exfiltration from its corporate network, though no operational disruptions occurred. The company has engaged cybersecurity experts and law enforcement. Microsoft and Google have not reported evidence of their products being abused in the campaign, with Google stating it has no indication its systems were affected. ShinyHunters disputed Okta’s attribution of a specific phishing kit, claiming its infrastructure was built in-house.