Select Page

After Facebook and Twitter, Google becomes the latest technology giant to have accidentally stored its users’ passwords unprotected in plaintext on its servers—meaning any Google employee who has access to the servers could have read them.

In a blog post published Tuesday, Google revealed that its G Suite platform mistakenly stored unhashed passwords of some of its enterprise users on internal servers in plaintext for 14 years because of a bug in the password recovery feature.

G Suite, formerly known as Google Apps, is a collection of cloud computing, productivity, and collaboration tools that have been designed for corporate users with email hosting for their businesses.

It’s basically a business version of everything Google offers.

The flaw, which has now been patched, resided in the password recovery mechanism for G Suite customers that allows enterprise administrators to upload or manually set passwords for any user of their domain without actually knowing their previous passwords in order to help businesses with on-boarding employees and for account recovery.

If the admins did reset, the admin console would store a copy of those passwords in plain text instead of encrypting them, Google revealed.

“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password,” Google says.

However, Google also says that the plain text passwords were stored not on the open Internet but on its own secure encrypted servers and that the company found no evidence of anyone’s password being improperly accessed.

“This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure,” Google says. “This issue has been fixed, and we have seen no evidence of improper access to or misuse of the affected passwords.”

Google also clarifies that the bug was restricted to users of its G Suite apps for businesses and that no free version of Google accounts like Gmail were affected.

Though the company did not disclose how many users might have been affected by this bug beyond just saying the issue affected “a subset of our enterprise G Suite customers,” with more than 5 million G Suite enterprise customers, the bug could affect a large number of users — presumably any user who used G Suite in last 14 years.

images from Hacker News