Is the "Anyone with the link" setting in Google Drive secure?

No. The "Anyone with the link" setting in Google Drive is not a secure access control. Once a document is shared this way, it becomes publicly accessible to anyone who obtains the URL. If the link is ever posted in a public channel, included in a support ticket, shared in a forum, or captured by a browser or third-party service, the file is effectively exposed on the open internet.

How can supposedly private Google Drive links become publicly exposed or indexed?

Google Drive links set to "Anyone with the link" can leak in many everyday workflows. People paste them into public Slack channels, community forums, issue trackers, or emails that later get forwarded or archived in public places. Once a link appears on a crawlable web page or in a context monitored by search or AI crawlers, it can be discovered, indexed, and accessed by others without any additional authentication.

What types of data are commonly exposed through misconfigured public document links?

Misconfigured public document links frequently expose sensitive personal and corporate data. Examples include full names, email addresses, phone numbers, customer records, internal project documents, financial reports, contractor evaluations, and materials explicitly labeled as confidential. In many cases this information is enough to support identity theft, targeted phishing, or corporate espionage without any direct system compromise.

Why are AI systems and web crawlers a growing risk for "Anyone with the link" documents?

AI assistants, search engines, and other automated crawlers continuously scan public web content for context and training data. If a Google Drive document is accessible without authentication, it may be ingested, summarized, or surfaced as part of an AI-generated answer or search result. That means internal files shared via public links can be unintentionally exposed to external users long after the link was created, even if no traditional "hack" occurred.

What are best practices to prevent accidental exposure from Google Drive public links?

To prevent accidental exposure, organizations should: 1) set "Restricted" as the default sharing mode and grant access only to specific users or groups; 2) limit or disable the ability to use "Anyone with the link" for sensitive Shared Drives at the admin level; 3) use time-limited links with automatic expiry for external sharing; and 4) run regular audits to find and revoke public links across the domain using native Google Workspace security tools or dedicated security solutions.

How often should organizations audit their Google Drive and cloud document sharing settings?

Organizations should treat document-sharing audits as an ongoing security task, not a one-time project. At minimum, sharing settings should be reviewed quarterly, and after major changes such as mergers, team restructures, or large hiring waves. High-risk environments, or those handling sensitive personal or regulated data, benefit from continuous monitoring that automatically detects and flags new "Anyone with the link" documents or unusual public sharing activity.

In a large organization, thousands of these links are created every week. Security operations often struggle to keep up with this volume, leading to a rapid expansion of the attack surface.

Misconfiguration Spotlight

Misconfiguration Spotlight: The Myth of the “Secret” URL

Or Naim February 4, 2026

Introducing the “Misconfiguration Spotlight”

In cybersecurity, we often obsess over the exotic zero-day while the front door remains wide open due to simple configuration drift.

I am launching this series, Misconfiguration Spotlight, to address a hard truth: many of the most dangerous exposures in your stack are “obvious” on paper, yet they persist for years because the manual effort to remediate them safely is too high. Our goal is to move the industry past the “diagnostic fatigue” of endless reports and toward a state of preemptive, automated health.

The Myth of the “Secret” URL

In this first spotlight, I want to talk about a dangerous misconception I see daily: the idea that a Google Drive “Anyone with the link” setting is a form of security. In my view, a link is not a password; it is a door left unlocked. Once a file is set to public access, it is effectively live on the open internet.

Why This Persists? In a large organization, thousands of these links are created every week. Security operations often struggle to keep up with this volume, leading to a rapid expansion of the attack surface.

The Real-World Risks

Search Engine & AI Discovery: Links posted on crawlable sites are quickly indexed. Worse, modern AI agents now scan the web for context, meaning your “confidential” docs could become training data for a competitor’s query.
AI Training & Discovery: As AI agents (like Gemini or OpenAI’s crawlers) scan the web for context, publicly accessible documents can be ingested as training data or retrieved as “live” information, potentially surfacing confidential company data to external users.
Malicious Crawlers: Threat actors use automated bots to enumerate and “scrape” Google Drive URL patterns. These bots systematically look for open directories to build databases of exposed PII (Personally Identifiable Information) and corporate secrets.

Sample Case Studies

Ateam Inc. (Massive PII Exposure, 2023)

The Incident: A Japanese game developer left files set to “Anyone with the link” for six years.
The Impact: Exposure of data belonging to nearly 1,000,000 individuals, including customers, employees, and job applicants.
Data Leaked: Full names, email addresses, and phone numbers. This created a massive, long-term window for identity theft and phishing.

Reference : a-tm.co.jp/en/news/44383/

Scale AI (Confidential Corporate Data, 2025)

The Incident: Hundreds of Google Docs were found publicly accessible without authentication.
The Impact: Exposure of high-level projects involving major AI clients (Meta, Google, xAI).
Data Leaked: Internal AI training materials, contractor evaluations, and documents explicitly marked “Confidential.” This provided a direct attack surface for social engineering and corporate espionage.

Reference : https://www.businessinsider.com/scale-ai-public-google-docs-security-2025-6

Consequences of Misconfiguration

Data Breaches & Regulatory Fines: Under GDPR, CCPA, and other privacy laws, “Anyone with the link” exposure is often classified as a reportable breach if PII is involved, leading to heavy fines.
Social Engineering & Phishing: Attackers use internal document details (project names, tone of voice, employee lists) to craft highly convincing phishing attacks.
Intellectual Property Theft: Competitors or adversaries can gain access to roadmaps, source code snippets, and strategic plans without ever needing to “hack” a system.
Reputational Damage: As seen with Scale AI and Ateam, public exposure of “Confidential” files erodes trust with high-profile clients and partners.

Best Practices for Prevention

Default to “Restricted”: Access should only be granted to specific email addresses or groups.
Disable Public Sharing at Admin Level: Organizations should restrict the ability to create “Anyone with the link” URLs for sensitive Shared Drives.
Use Expiry Dates: When external sharing is necessary, set links to expire automatically.
Regular Audits: Use Google Workspace’s security investigation tool to identify and revoke “Anyone with the link” permissions across the domain.

The Bottom Line: A public Google Drive link is a door left unlocked. If you wouldn’t post the document on your company website, don’t use the “Anyone with the link” setting. Stop managing the list start Reclaiming your security posture.

The Myth of the “Secret” URL

The Real-World Risks

Sample Case Studies

Ateam Inc. (Massive PII Exposure, 2023)

Scale AI (Confidential Corporate Data, 2025)

Consequences of Misconfiguration

Best Practices for Prevention

More like this...

Misconfiguration Spotlight: Untrusted Font Blocking Is Off by Default — and Attackers Know It

Mastering Cyber Risk Assessment and Remediation

A CISO’s Guide to Network Security Auditing That Actually Works