Repercussions on Google account used to access a compromised service

Question

Suppose the following scenario:

• A cloud service reports a breach in which user account information (usernames and password data, e.g. password hashes) was accessed.
• The attacker has sufficient resources to recover passwords from the hashes (worst-case assumption, not necessarily realistic)—or the service used a sufficiently weak hash algorithm (or even stored passwords in plain text).
• Alice has an account on that service. However, she logs in with her Google account.

If the designers of the authentication protocol used did their homework, I assume the compromised service would not hold any data that would enable an attacker to access Alice’s account, and Alice would not need to take any actions in response.

Is my assumption correct, or have I overlooked something?

Answer 1

The google login uses OpenID Connect and therefore does not expose Alices credentials to the service.

Google handles the authentication process and passes the information, that this is indeed Alice to the service provider in the form of a token.

However, if Alice was tricked to enter the password for her google account in a phishing-form on the compromised service, it's still possible to get compromised.

Although it was a different question, Jens Erat provided a great explanation of the protocol involved.