Canary Token triggered by Google LLC?!

I had my first canary token triggered in my google email tonight when I was out and about. When I saw that it was triggered I changed my password and then began looking into it. A whois of the IP came back with the data listed at the bottom of this post. Basically Google LLC. Does this mean Google is going through my emails or could it be a private party using Google as an ISP or otherwise? How alarmed should I be?

Origin IP: 74.125.80.80

NetRange: 74.125.0.0 - 74.125.255.255
CIDR: 74.125.0.0/16
NetName: GOOGLE
NetHandle: NET-74-125-0-0-1
Parent: NET74 (NET-74-0-0-0-0)
NetType: Direct Allocation
Organization: Google LLC (GOGL)
RegDate: 2007-03-13
Updated 2012-02-24

OrgName: Google LLC
OrgId: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2000-03-30
Updated: 2017-10-16

OrgTechHandle: ZG39-ARIN
OrgTechName: Google LLC
OrgTechPhone: 1-650-253-0000
OrgTechEmail: arin-contact@google.com

OrgAbuseHandle: ABUSE5250-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: 1-650-253-0000
OrgAbuseEmail: network-abuse@google.com

1 Like

This may be a false positive. Can you private message me the link in the email please?

1 Like

My Canary Token is also getting triggered by google. @NathanHouse, sent you a token link to the PM, thx!
Update: trying to find where is PM here, though it would be easier :smiley:

I have sent you a pm

1 Like

Did this get resolved?

Iā€™m having same issue in 2021.

Multiple IP addresses in rapid succession. Too quick to be human

I assume it is a false positive if you are seeing Google itself triggering the token.

Hello,
Just had this mail from url token:One of your canarydrops was triggered.

Channel: HTTP
Time : 2021-08-30 12:38:25.506092
Memo : test
Source IP: 193.148.18.78, 172.70.114.25
User-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Mobile/15E148 Safari/604.1

The iPhone configuration is just like mine 100% but I did not interact with the link/token at this time. I tried manually open it - different IPs but same phone signature. What could it be ? Also those IPs are not familiar ones to me.

The user agent can be the same for similar devices or browsers. The only difference that you can note is the IP address which, as you said, is not familiar to you. So it means someone else accessed the url that you put token on.