Online address book service Plaxo has confirmed that an unknown malicious third-party gained access to the company’s API connection to Google’s address book and calendar. As a result of the security breach, Google took precautionary measures and temporarily disabled the connection, and sent Google account holders a “Suspicious sign in prevented” email advising them that a hijacker was trying to access their account.
Read more on The H.
On its blog, Plaxo explained what happened:
Google and Plaxo detected a malicious party misusing Plaxo’s server connection to Google as a means to login to Google accounts using a set of credentials the malicious party obtained on their own. These credentials were not obtained from Plaxo. This party used a function we call the AB Widget which we had slated for retirement to access those accounts hiding behind Plaxo’s proxy.