Google hacking, which has been on the rise this summer, is a bit of a misnomer. Also known as Google dorking, Google hacking refers to cybercriminals' enterprising use of Google's advanced search functions to find caches of valuable data ripe for the taking.

Some 43,000 faculty, staff, students and alumni of Yale University are the latest victims. Data thieves apparently found an unprotected File Transfer Protocol (FTP) server containing their names and Social Security numbers, by using a new Google FTP search function introduced last September, says security firm RedSeal.

"With the addition of indexing data that is accessible via FTP, hackers can now identify wide-open FTP sites that may contain sensitive data or can be used to leapfrog to other machines on the company's internal network," says Tom Rabaut, RedSeal analyst. "Also, Google offers the ability to restrict searches to a single domain which will make it easier for hackers to limit their data mining to only target companies."

The actual search terms used to find vulnerabilities via Google are referred to as "dorks." For any curious database seeker, well-intentioned or not, to get started it is as simple as navigating to this database of dorks.

It hasn't taken much inventiveness for the criminally minded to figure out how to use Google dorks to search for common system files that contain sensitive data with tangible value in the cyberunderground, observes Mike Lloyd, chief scientist at RedSeal.

"Most victims are targets of opportunity," says Lloyd. "Chances are that anyone who got the data from Yale wasn't looking for Yale."

Another example of the exposures opened up by Google hacking comes from security firm Identity Finder. The self-described ethical-hacking company has been using its software in combination with common Google search queries to locate large caches of unencrypted personally identifiable information.

Identity Finder recently discovered several gigabytes of .dbf, .xls, .cdx and .pdf files containing names, addresses, dates of birth and Social Security numbers of 300,000 people who had filed for California workers compensation in a database owned by Southern California Medical-Legal Consultants.

"The files were neither encrypted nor password-protected and some were cached by at least one major search engine," says Identity Finder CEO Todd Feinman. "If we don't help companies discover exposed data, thieves will find them first and harvest Social Security numbers for illicit use or trade the knowledge of their existence so others can steal them."

Feinman says that when unethical hacking groups find personal information, they routinely post that information to the Internet for everyone to see and potentially download for identity fraud.