Google Failed To Fully Secure G Suite Passwords For 14 Years

As well as having left the data of "hundreds of millions" of Facebook Lite users potentially vulnerable to attack, millions of users of its subsidiary Instagram had their passwords stored in a readable format.

Google has revealed that a number of G Suite user passwords were accidentally stored in plaintext for 14 years due to a bug in how password encryption was implemented.

The bug revealed today was traced back to a tool built in 2005 that allowed administrators to set passwords for new employees. That tool stored a copy of the plaintext password, Google said. The issue, which only affected a portion of enterprise G Suite users, has been around since 2005.

Google is the latest tech giant to announce an issue with unhashed passwords stored on its internal servers.

"We recently notified G Suite administrators to change those impacted passwords".

"To be clear, these passwords remained in our secure encrypted infrastructure".

"We have seen no evidence of improper access to or misuse of the affected passwords", said Suzanne Frey, vice president of engineering at Google's cloud trust division.

The second incident is most recent, which was discovered in January 2019 when Google was troubleshooting new G Suite customer sign-up flows.

Under normal circumstances, this bug shouldn't be a huge security risk for affected customers, as an attacker would have had to breach Google's infrastructure first, locate the encrypted passwords in its vast data centers, and then retrieve the proper decryption key to decrypt the passwords before using any of them. A subset of unhashed passwords were saved in its encrypted system for 14 days before the issue was fixed.

"We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry's best practices for account security", said Google.

Latest News