G Suite administrators’ passwords were unhashed for 14 years, notifies Google

3 min read

Today, Google notified its G Suite administrators that some of their passwords were being stored in an encrypted internal system unhashed, i.e., in plaintext, since 2005. Google also states that the error has been fixed and this issue had no effect on the free consumer Google accounts.

In 2005, Google had provided G Suite domain administrators with tools to set and recover passwords. This tool enabled administrators to upload or manually set user passwords for their company’s users. This was made possible for helping onboard new users with their account information on their first day of work, and for account recovery. However, this action led to admin console storing a copy of the unhashed password.

Google has made it clear that these unhashed passwords were stored in a secure encrypted infrastructure. Google is now working with enterprise administrators to ensure that the users reset their passwords. They are also conducting a thorough investigation and have assured users that no evidence of improper access or misuse of the affected passwords have been identified till now.

Google has around 5 million users using G Suite. Out of an abundance of caution, the Google team will also reset accounts of those who have not done it themselves.

Additionally, Google has also admitted to another mishap. In January 2019, while troubleshooting new G Suite customer sign-up flows, an accidentally stored subset of unhashed passwords was discovered. Google claims these unhashed passwords were stored for only 14 days and in a secure encrypted infrastructure. This issue has also been fixed and no evidence of improper access or misuse of the affected passwords have been found.

In the blogpost, Suzanne Frey, VP of Engineering and Cloud Trust, has given a detailed account of how Google stores passwords for consumers & G Suite enterprise customers.

Google is the latest company to have admitted storing sensitive data in plaintext. Two months ago, Facebook had admitted to have stored the passwords of hundreds of millions of its users in plain text, including the passwords of Facebook Lite, Facebook, and Instagram users.

Read More: Facebook accepts exposing millions of user passwords in a plain text to its employees after security researcher publishes findings

Last year, Twitter and GitHub also admitted to similar security lapses.

Users are shocked that it took Google 14 long years to identify this error. Others are concerned if even a giant company like Google cannot secure its passwords in 2019, what can be expected from other companies.

A user on Hacker News comments, “Google operates what is considered, by an overwhelming majority of expert opinion, one of the 3 best security teams in the industry, likely exceeding in so many ways the elite of some major world governments. And they can’t reliably promise, at least not in 2019, never to accidentally durably log passwords. If they can’t, who else can? What are we to do with this new data point?

The issue here is meaningful, and it’s useful to have a reminder that accidentally retaining plaintext passwords is a hazard of building customer identity features.

But I think it’s at least equally useful to get the level set on what engineering at scale can reasonably promise today.”

To know more about this news in detail, head over to Google’s official blog.

Read Next

Google announces Glass Enterprise Edition 2: an enterprise-based augmented reality headset

As US-China tech cold war escalates, Google revokes Huawei’s Android support, allows only those covered under open source licensing

Google AI engineers introduce Translatotron, an end-to-end speech-to-speech translation model