Please go to myaccount.google.com/permissions and take a look at the apps that have access to your Google account.
How many apps are on that list? If you're like most users, you might just scroll past thirty or forty logos. You probably recognize a few. But there are likely at least one or two that you have absolutely no memory of ever connecting.
And here's the catch: every single one of those apps has a live, active connection to your Google account right now.
The Problem With "Sign In With Google"
To be clear, "Sign in with Google" (and Microsoft, and Facebook) is a fantastic feature. OAuth is a safer and more convenient way to log in to websites, and it prevents you from having to create a new account on a random site using a password you've reused everywhere else.
But we've gotten way too lazy with it. We treat every OAuth popup exactly the same. We just click "Allow" without ever reading what we are actually allowing.
However, there is a big difference between handing over your email address to register an account, and giving an application permission to read your emails. Once you allow read access, you are moving past simply logging in. You are handing that specific developer a full skeleton key to your inbox, and until you manually revoke that permission, they get to keep that key.
The AI Threat Multiplier
This habit gets more dangerous when you add AI into the picture.
There are hundreds of AI tools promising to "manage your inbox" or "draft your replies." To do this, the AI requested to have "read and write" permission to your email using an OAuth connection.
Prompt injection is a top-ranked security vulnerability where malicious input overrides an AI model's original instructions, forcing it to execute unintended commands.
If a hacker sends a malicious prompt to your AI email summarizer, and that AI has an open OAuth connection to your inbox... it’s game over.
Your email address is the master key to your entire identity. If the AI gets tricked into leaking the contents of your inbox, hackers don't just get your emails. They may get your bank statements, your password reset links or even get your MFA codes. They can systematically take over every other account you own—all because of one OAuth connection you approved and forgot about.
The Analytics Acquisition Trap
Even without AI tools, leaving old connections open is a major risk.
The tech industry runs on acquisitions. When you click "allow," you make a deal with a specific company at that moment. But if that company gets bought, your live access token goes to the new owner.
For example, Unroll.me is a free email management service that gained massive popularity by organizing user inboxes into a daily digest called "The Rollup".
But the service was acquired by an analytics company. The new owners used those active API connections to scan user inboxes for Lyft receipts. The collected data was sold to Uber to track their competitor. Users thought they were just organizing their newsletters, but they were actually handing their entire inbox to an analytics firm.
How to Protect Yourself
Stories like that make it tempting to just disconnect everything and never use OAuth again, but that isn't realistic. These tools are incredibly useful. The trick is knowing how to use this technology safely.
The most important factor is where your data goes. If an app genuinely needs to read your emails—like an AI summarizer or a fast search tool—you must ask: where is the processing happening?
If the app processes data locally on your device, your data never leaves your computer. This is generally safe because you keep control. But if the app sends your token and data to their cloud servers, you are introducing another layer of risk and have to place a lot of trust in that company's security practices.
We need to stop treating these permissions like a standard login button.
- Clean House: Start by cleaning house. Go to that Google permissions page. Look at every app. If you don't use it, click "Remove Access." It takes two seconds. Do the same for your Microsoft and Facebook accounts.
- Audit Popups: Next time an OAuth popup appears, just pause before clicking "Allow." Look at exactly what the app is asking for. If a game or an unrelated tool asks for access to read and send your emails, say no. Take the extra 10 seconds to create a standard account.
Above all, remember that granting access to your inbox is never a "set and forget" action. You should make it a habit to audit your connected apps on a regular basis. If you are not actively using an app, revoke its access. Leaving a forgotten connection open is a security risk.
ThunderSweep: 100% Local Security
If you want a tool that cleanly scans your Gmail for sensitive documents (like old tax returns and bank statements) without requiring cloud access, check out ThunderSweep. It runs 100% locally in your browser. Your data never leaves your machine.
Try ThunderSweep Free