On 15th Feb I signed a new property into google analytics. i then went to put the client in as an admin so they can manage their analytics and pull the info they need and add others as required.
The client had no google account so I signed up a gmail account, logged out, logged back into my GA and added them as admin on ONE property. i have security logs that show this is what happened.
However - google then proceeded to make this new gmail account ( belonging to my client ) the owner of all my accounts. My log in was relegated as a recovery account only and all my search console, business analytics and ad words now was accessible by my clients gmail account. As I had sent them the log in details this posed quite a security problem.
Every time i logged in as my email address it switched to be my clients email address.
further more i have clients who have their own GA accounts and have invited me in to help them with it - my clients gmail account ended up on all their accounts as well. As you can imaging my clients are asking who in hades is <clients email address>
Google help told me I must have deliberately done this. Yeah right - I went through screen after screen of forms and sub forms systematically removing my email account and adding the clients - except I didn't.
Logging into my clients email account - which theoretically according to google was my account but with details changed - and changing it to my email address doesn't work as the primary email address cannot be changed - but according to help (see line above) i changed it yesterday. also according to help it cannot be changed. Hmm - a conundrum. either i changed the unchangeable or there is a huge security issue with google.
long story short - google help wants me to put this information into a public forum, alerting potential crackers there may be a security hole or issue with googles analytics sign up code that allows a master google analytics account to be owned by a sub account. and then have that information and accounts flow to other linked accounts. Personally I think the fact the recovery information can be sent to a third party email is a security hole allowing password recovery to happen.
they also want me to put my story on a public forum and get help resetting my passwords, account security and other details here in a public forum - Yup - that's exactly where account issues should be dealt with - online in a public forum - no security issues there.
there is no escalation path available to me other than to hang this probably flaw in google code ( exploitable via cookies on a shared pc would be the quickest method I assume) . I'm glad google advertises that security is their prime concern. i feel SOOOOO secure now i have given access to all my clients search consoles, ga, business sites and adverts to my client. I feel especially secure knowing that the best i can do is work from an account that I cannot remove my clients email address as the primary email address showing in the accounts area.
BTW - google help says the logs are probably wrong, incomplete or something - if so why bother having them at all?
This is the failure of cloud systems - they keep pushing support to public forums - even for security issues - with no escalation path. My business is a mess now - I am going to have to create a whole new google account, and find ways of moving all my clients across - individually. That's especially tough as I can only put a new account in as owner - not primary owner / god like access to google business. 2.5 hours of my day wasted talking to people who cannot o more than the basics in a very narrow range with no escalation process. 3.5 hours further wasted with spark not responding to a four week over due issue stopping a clients emails being accessed and spam binning everything from him (owing to the work of some third party spoofing of emails.).
Yes - I did put the information into a public forum - I hope they get hacked!!