The silent subscription copying your event stream
GCP Pub/Sub carries your event stream, sometimes with PII. An attacker can attach a new subscription to a busy topic and quietly receive a copy of every message, while the topic keeps working normally. Here is the covert tap, and how to remove it.
Nothing about the topic changes. The producers publish, the real consumers consume, and a copy of everything quietly leaves.
What it is
GCP Pub/Sub carries the organization’s event stream, sometimes including records with PII. An attacker with Pub/Sub permissions attaches a new subscription to a busy topic, with a push endpoint they control, and receives a copy of every published message. Producers and existing consumers are untouched, so the tap is easy to miss. This is T1530 (data from cloud storage) and T1213 (data from information repositories) into T1567 (exfiltration over a web service).
Why it works
A new subscription does not disrupt the topic, so there is no functional signal, and subscriptions are created legitimately all the time.
How to detect it
In Cloud Audit Logs, look for a new subscription on a sensitive topic created by a non-owner, especially one that pushes to an external endpoint, outside any change window.
The fix that holds
Delete the rogue subscription and revoke the creating principal’s Pub/Sub rights, without breaking the topic. Then least-privilege Pub/Sub roles per topic, restrict external push endpoints, and alert on new subscriptions and push-config changes on sensitive topics.
Practice it
We built a Pub/Sub data-tap scenario in GraphLattice Range so teams learn to remove the tap without breaking the app, and scope the PII that leaked.