An employee of Sola Security, a small new cybersecurity company, asked ChatGPT a single routine question about SSO configuration. But in response, the chatbot’s backend quietly retrieved hundreds of internal company files in less than a second.

The company has already dealt with this “Shadow AI” data exposure incident involving ChatGPT’s Google Drive integration. No breach occurred and no unauthorized parties accessed the data

But Sola Security says the episode because it has implications for any enterprise using AI tools with integrations.

What actually happened? ChatGPT responded to a simple question about SSO configuration by quickly and quietly retrieving more than 400 internal files from Sola’s Google Drive.

According to the company, the chatbot took just 42 milliseconds to extract important and sensitive Sola files, including product roadmaps, financial records, and customer plans.

AI behavior you can’t see or control

“There was no breach, no attacker, and no alert. The access occurred through a standard and fully approved OAuth connection,” Sola Security said in a detailed blog post.

“This raises a product design question for OpenAI and every AI provider with file integrations: why does a single user query trigger a full Drive enumeration rather than a targeted file lookup?”

To be fair, the company had approved a ChatGPT-to-Google Drive integration for its employees. This isn’t unusual – security teams sign off on processes like that every week, Sola Security explained.

“There was no breach, no attacker, and no alert. The access occurred through a standard and fully approved OAuth connection,”

Sola Security

Then again, this might just be a lesson that “Shadow AI,” or the unmonitored use of generative AI tools that occurs when employees feed corporate and sensitive data into systems outside IT’s control, isn’t exactly the safest way to deal with data security.

Last year, a Cybernews survey of more than 1,000 employees across the US showed that 59% admit to using unapproved AI tools to help with work tasks.

Indeed, Sola Security admits: “When security leaders hear ‘Shadow AI,’ most picture an employee sneaking an unauthorized chatbot onto a corporate laptop. A rogue browser extension. Maybe an intern pasting source code into a free large language model.”

But that framing misses the bigger exposure, the company points out, because “Shadow AI” covers any AI behavior in your organization that you can’t see or control – and “risk can also live inside integrations your team already reviewed and approved.”

“AI now touches nearly every layer of a modern organization. Your developers use AI coding assistants (GitHub Copilot, Cursor, Claude Code) that interact with proprietary repositories. AI desktop applications sit on corporate endpoints with access to local files and system data,” said Sola Security.

“In some environments, teams integrate LLMs into production pipelines and continuous integration/continuous deployment workflows where the downstream data flows are harder to track.”

The prompt woke up the ChatGPT backend

In this specific case, what’s important is what happens when an employee wants – or is authorized – to use an AI copilot with their Google Drive.

They click “Connect,” a standard Google consent screen appears, they review the permissions, and they approve. The whole process takes about ten seconds.

But the scope granted in those ten seconds is worth examining closely. In Sola’s case, the consent included drive.readonly (read access to every file the user can reach), directory.readonly (organizational directory information), contacts.readonly, and several identity-related scopes.

In other words, a single approval gave the application access to read the full contents of any document, spreadsheet, presentation, or PDF the employee could open, plus visibility into the company’s directory structure.

And the access doesn’t expire when the employee closes their browser tab. OAuth refresh tokens allow the application to call Google’s APIs without re-authentication for extended periods without additional user interaction.

The employee approved access on a Tuesday morning, and weeks later, those tokens were still active, still capable of reading every shared document in the employee’s Drive.

“For 21 days after our employee clicked ‘approve,’ those tokens sat completely idle. Then came a single prompt, and the backend woke up,” said Sola Security.

The prompt sounded like this: “Is there a document in Drive on how to enable SSO?” Within milliseconds, ChatGPT’s backend infrastructure executed a full Drive enumeration.

The application called drive.files.list to inventory the user’s accessible files, then executed drive.files.get to download 404 of them in parallel. The requests came from four cloud-based IP addresses, confirming server-to-server execution with no device or browser involved.

The retrieved files, a mix of Google Docs, Sheets, Slides, and PDFs, spanned nearly every function in the company: product roadmaps, marketing plans, customer-facing documentation, security procedures, internal strategy notes, and finance records.

This wasn't a breach

According to Sola Security, the incident was unusual because no user clicked or opened files, no one downloaded anything through a browser, no endpoint played any role, the application never requested additional permissions, and no alert fired anywhere in our security stack.

“The entire event looked like nothing, which is exactly why traditional monitoring never flagged it,” said the company.

The reason is pretty straightforward and even predictable at this point. Amidst all the AI hype, the fact is that the tools in most security stacks were built to watch humans, not backend AI processes.

The Cybernews community is talking about this. Be a part of the conversation.

“The shared assumption across all of these layers: a human actor drives the data movement. When an AI application operates autonomously through API tokens, that assumption breaks down,” said Sola Security.

The company advises looking for warning signs in Google Workspace admin logs – but admits it only detected the incident by accident while working to improve Sola’s Google Workspace integration.

Amidst all the AI hype, the fact is that the tools in most security stacks were built to watch humans, not backend AI processes.

Interestingly, when the firm presented its findings to security professionals, some pushed back, since, well, the integration did what its permissions allowed: nobody exploited a vulnerability, and no attacker was involved.

Sola Security agrees that calling the episode a breach might be a stretch, but says it depends on how the organization defines risk.

“Sensitive corporate data spanning nearly every business function traveled from Google’s infrastructure to third-party cloud servers hosted on Azure. Whether or not the AI provider retains or trains on that data is a separate conversation,” said the company.

“The fact remains: the information crossed an organizational boundary, landed on servers outside our control, and we had no awareness it happened until we stumbled on it weeks later.”

---

Unlock more exclusive Cybernews content on YouTube.