Google has revealed that it stored passwords of G Suite customers in plaintext for 14 years on its servers.
According to the blog post published by Google, a bug in G Suit’s password recovery mechanism stored passwords of some customers in their encrypted internal system unhashed between 2005 and 2019.
G Suite is a brand of cloud computing, productivity and collaboration tools, software and products developed by Google, launched on August 28, 2006.
The issue was discovered with G Suite enterprise accounts which allowed domain administrators to upload or manually set user passwords for their company’s users without knowing their previous passwords.
This was to help new employees to receive account information on the first day and for account recovery.
The admin console stored a copy of the unhashed password when admins reset the password because of an error made by Google when implementing this functionality back in 2005.
Google also assured the unhashed passwords were stored in their own encrypted server and they did not find any evidence that these passwords where improperly accessed or misused.
“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”
Google also disclosed another incident that starting from January 2019 Google inadvertently stored password created during sign up procedure in unhashed form.
The issue was discovered when they were troubleshooting new G Suite customer sign-up flows.
“In addition, as we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure.”
Unlike the first incident, here the passwords were stored only for 14 days which minimize the bug’s impact.
Google is investigating this issue and did not find any evidence of improper access or misuse of these passwords.
Google has now patched both the issues and started notifying the affected customers to reset their passwords.
Google also said they will automatically reset the passwords of accounts that have not done so themselves.
You may be interested in reading: WhatsApp Critical Flaw Allowed Installation of Spyware on to Phones