Google kept G Suite users' passwords unencrypted

Science

22 May 2019

For 14 years, Google kept G Suite users' passwords unencrypted

Just recently, Facebook drew widespread criticism for storing the passwords of its users in plain text.

The issue lasted for years, but as it turns out, the social network wasn't alone in this act.

For 14 years, Google, the biggest technology giant in the world, had also stored the passwords of many of its users in an unencrypted, text format.

Here are the details.

Issue

Google kept G suite businesses' passwords unhashed

Google kept G suite businesses' passwords unhashed

Normally, passwords are hashed with a cryptographic key to prevent them from being read even if they are accessed by mistake.

However, Google recently acknowledged that an error associated with its password recovery implementation led to the storage of some G Suite users' passwords in an unhashed format.

The plain-text passwords were kept on its internal system since 2005.

Issue stemmed from a G Suite specific feature for companies

The problem of unhashed passwords occurred from a feature that let company administrators for G Suite set user passwords manually. The passwords they chose were stored in the unencrypted format on the administrator console and on Google's systems.

Love Tech news?

Stay updated with the latest happenings.

Yes, notify Me

Solution

Now, the issue has been resolved

Notably, Google has now disabled the capability when the issue gained momentum.

The company says that there is no evidence of the bug being exploited or anyone accessing the plain-text passwords in question.

Also, it is worth noting that the passwords were on Google's internal systems, which would have made it difficult for an outsider to get their hands on them.

Remedial

Affected users are being alerted now

Affected users are being alerted now

The search giant hasn't given a word on how many users might have been impacted but has already started resetting passwords and sending out emails to affected customers about the issue.

Also, the issue was limited to a subset of people using G Suite, which is the corporate version of Gmail and other Google apps. The consumer accounts were not impacted.

Google apologized and promised to maintain security standards

"We take security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry's best practices for account security. Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better."

Other issues

Facebook and Twitter have been involved in similar cases

The latest issue didn't impact consumer Google accounts, but it definitely highlights the problem of poor security on the internet.

Just recently, millions of Facebook and Instagram passwords were stored in the same way, and some 20,000 Facebook employees could have accessed them.

Similarly, back in May 2018, Twitter had suffered a breach and asked all 330 million of its users to change passwords.

Share this timeline

Google

Google G Suite

Facebook

G Suite

Share this timeline

Ask NewsBytes
User Image

Next Timeline