Not clear (to me) in the original post -- was this done accidentally or intentionally?
replies(4):
So an employee can type in google.com and check any boxes about did you verify this is the correct name and it's OK to issue, and then they hit issue and the certificate is minted, just like that.
Why google.com? Well, if you're testing something, say a web browser, what web site comes to mind? Maybe google.com? Doesn't work. Oh - the cable is unplugged. Doesn't work. Wait, this checkbox isn't checked, try again. Aha, now it works... Oops we issued a certificate for google.com
This is a "Never" event, there should be countless things in place to ensure it doesn't happen. In practice, just like safety guards on dangerous machinery, too many people just can't be bothered with safety, it's a cultural issue.
† Let's Encrypt famously does not. As part of the Mozilla application process they need to show their certificates expire properly, usually people either manually issue a back-dated certificate which has expired already, or they manually issue one with a deliberately short lifetime to expire. Since they can't issue manually Let's Encrypt obtained an ordinary certificate from their own service and then waited ninety days for it to expire like a fucking boss.