Google Stored G Suite Customers Passwords in Plain Text
In a blog published yesterday, Google revealed that it had discovered a bug that allowed some G Suite users to have their passwords saved in text format.
The bug has been in circulation since 2005, although Google claims to find no evidence of incorrect access to someone’s password.
It’s resetting any passwords that might be affected and allow G Suite, administrators to know about the problem.
G Suite is the business version of Gmail and other Google apps. Apparently, the bug in this product was generated because of a feature specifically designed for businesses.
Initially, your G Suite application manager could set user passwords manually, before a new employee is on board. If this was the case, the administrator’s console would store the passwords in plain text instead of hashing them. Since then, Google has removed this option for administrators.
Google’s blog aims to explain how the cryptographic hashing works, probably to ensure that the nuances surrounding this violation are clear.
“We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” Suzanne Frey, Google Cloud VP of Engineering wrote.
Although passwords are stored in plain text, they are at least plain text on Google’s servers. It would be more difficult to reach them if they had just arrived on the open Internet.
Although Google did not say explicitly, it also seems to prevent people from placing this bug in the same category as other common password problems in which these passwords were leaked. Google has already led users to reset their passwords.
In turn, Google has identified not only the number of users likely to be affected by this bug, but also the fact that it affects “a subset of our G Suite business customers” – probably anyone who used G Suite in 2005.
And while Google has found no evidence that anyone has used this access for malicious purposes, it is unclear who has access to those files containing only text.
Anyway the issue is fixed now, and Google has conveyed in its post how it is appropriately sorry about the whole issue:
We take the security of our enterprise customers extremely seriously and pride ourselves in advancing the industry’s best practices for account security. Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better.