Google admits it left some G Suite passwords stored in plaintext and searchable by employees for 14 YEARS
- Google found that some user passwords were stored in plaintext for 14 years
- Issue only impacts G Suite customers, which is a Google product for enterprises
- The firm said it has seen no evidence of ‘improper use’ since it was discovered
Google said that it accidentally left some enterprise customers’ passwords exposed on its servers for as much as 14 years.
A ‘small percentage of G Suite users’ were affected by a bug in its system that meant their passwords were stored in plaintext, giving some Google employees unfiltered access to the data, according to Wired.
G Suite is a product targeted for businesses that offers bundled access to Google services like Gmail, Google Drive, Calendar, as well as other enterprise features.
The incident comes not long after fellow tech giants Facebook and Twitter disclosed their own privacy slip-ups, wherein they discovered some passwords were stored in plaintext.
A ‘small percentage of G Suite users’ were hit by a bug in its system that meant their passwords were stored in plaintext, giving some Google employees unfiltered access to the data
WHAT SHOULD YOU DO NOW?
Google said it has already begun notifying enterprises who were affected by the issue.
The firm said it will also reset any impacted passwords that haven’t been changed ‘out of an abundance of caution.’
Google recommended that users take advantage of two-factor authentication to add an extra layer of security to their accounts.
The firm said it provides G Suite administrators with security keys, which can help prevent bad actors from hacking into your account if they don’t have access to the physical key.
With the bug only impacting G Suite users, it means that consumers don’t need to worry about their account being affected by the issue.
Google said it has begun notifying enterprise G Suite customers that some of their passwords were stored in plaintext.
‘We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials,’ said Suzanne Frey, vice president of engineering for Google’s Cloud Trust.
Typically, Google stores users’ passwords by hashing them, which turns your password into a random string of characters.
Each time someone signs in, Google verifies that their password is correct by comparing their hashed password with the one on its servers. When it’s determined to be a match, they can proceed to sign in.
As part of G Suite, domain administrators had the ability set and recover passwords, which proved to be helpful when onboarding new users.
However, Google discovered that a bug in the admin console meant users’ passwords were stored unhashed.
While the passwords were in plaintext, Frey said they ‘remained in our secure encrypted infrastructure.’
The issue impacts G Suite users, which is an enterprise product that offers bundled access to Google services like Gmail, Google Drive, Calendar, as well as other business features
The passwords were stored this way in the admin console since 2005, the firm said.
Google has since removed this feature.
The firm also made a separate discovery that, beginning in January, it had been storing a ‘subset’ of unhashed passwords in its encrypted infrastructure.
This subset of passwords was stored in plaintext for 14 days, Frey explained.
‘This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords,’ she added.
Frey added that Google will continue to investigate the incident to ensure it’s an isolated event.
‘Here we did not live up to our own standards, nor those of our customers,’ she said. ‘We apologize to our users and will do better.’