A Google insider has revealed that the losses incurred by cyber attacks on the firm disclosed in January included a password system that controls access to almost all Google web services.
The system, code-named Gaia and designed to enable single sign-on to a range of services, was attacked in the cyber raids in December, according to a source cited by the New York Times.
Google quickly made changes to the security of its networks after the attacks, but the theft of Gaia raises the possibility that the attackers may find weaknesses unknown to Google, said observers.
The anonymous source has also revealed that the theft began with an poisoned instant message sent to a Google employee in China using Microsoft Messenger.
The message linked to malicious website that was used by the attackers to gain access to the employee's computer and then to computers in the development division at Google headquarters.
Ultimately, the intruders were able to gain control of a software repository used by the development team, the source has told an internal investigation.
Although Google disclosed the intrusions publicly in January, the details surrounding the attack and losses have been a closely guarded secret.
The company said only that attackers had stolen "intellectual property" and apparently compromised e-mail accounts of human rights advocates in China.
After negotiations the Chinese authorities, Google announced in March that it had stopped censoring Chinese-language search results and was rerouting search queries to its Hong Kong-based site.
Google has declined to comment on the details leaked from the investigation, saying it has dealt with the security issues raised by the theft of the company's intellectual property.