Google reveals G Suite users’ passwords were stored in plain text for over a decade
Search giant Google has admitted that the company accidentally stored G Suite (formerly known as Google Apps) users’ passwords in plain text on its internal servers for 14 years.
Suzanne Frey, Google Cloud Trust’s Vice President of Engineering, in a blog post published on Tuesday, revealed that the issue impacted G Suite enterprise accounts only and no free version of Google accounts like Gmail were affected.
“We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed. This is a G Suite issue that affects business users only–no free consumer Google accounts were affected,” Frey said.
The issue was caused by an error in the implementation of the outdated feature for manually setting and recovering passwords that led to storing an unhashed copy of the password on Google’s systems.
“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords,” Frey added.
The blog post also further mentioned about the discovery of a second bug in January 2019, where Google had inadvertently stored a subset of unhashed passwords on its secure encrypted infrastructure for a period of 14 days. This issue was also fixed with no evidence of improper access to or misuse of the affected passwords.
Google has notified the G Suite administrators to change the passwords of those impacted by the issue. As a cautionary measure, those accounts that have not complied to the request will be automatically reset.
“Our authentication systems operate with many layers of defense beyond the password, and we deploy numerous automatic systems that block malicious sign-in attempts even when the attacker knows the password,” Frey added. “In addition, we provide G Suite administrators with numerous 2-step verification (2SV) options, including Security Keys, which Google relies upon for its own employee accounts.”
Frey concluded the blog post by saying, “We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security. Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better.”
In March this year, social media giant Facebook had acknowledged that the company had stored millions of passwords in plain text on its internal servers for up to 7 years rendering them searchable to as many as 20,000 of its company employees.