Google called me, five minutes ago, confirmed that the attacker indeed came in via the corporate VPN access. On top of that, they told me that the victim machine was a corporate managed machine, not a home computer.
As to why Google employees were running IE v6, Google’s position is that someone might be running IE v6 for testing purposes. Whether this was indeed what happened, they wouldn’t say. Ok, I can buy that you might be running an older version of browser for testing purposes (for backwards compatibility), but why wasn’t the testing environment isolated from production and from access to critical assets? Isn’t that one of the first thing you do in setting up a test environment? Google assured me that they are taking steps to rectify the situation, and for the sake of everyone who trusts Google with their data and applications, I hope they do it soon.
A funny related note: I’ve been trying to get Google’s attention for over a week on a security interview, but they were too busy to respond (understandably, I guess), but five minutes after I put up this blog entry. Google calls me on my mobile. .