A bug in Google’s G Suite left the passwords of some users to be stored in plain text for the past 14 years, though the company doesn’t believe the information was accessed by unauthorized third parties.
“We recently notified a subset of our enterprise G Suitecustomers that some passwords were stored in our encrypted internal systemsunhashed,” Google said in a blogpost, stressing that the issue only affects business users, not consumers.
“We have been conducting a thorough investigation and haveseen no evidence of improper access to or misuse of the affected G Suitecredentials,” said the company, which is currently working with enterpriseadministrators to make sure they compel users to reset passwords.
Google typically hashes passwords but a glitch in a tool in 2005 that let domain administrators to upload or manually set passwords for users to aid in the onboarding and recovery processes left some passwords stored in plain text.
“It’s concerning that Google justdiscovered that G Suite passwords were stored in plaintext since 2005,” said Kevin Gosschalk, CEO, Arkose Labs, notingthat with more than five million G Suite enterprise customers, “thismistake should have been recognized and prevented fourteen years earlier withproactive, ongoing security testing.”
Admitting it “made an error whenimplementing this functionality back in 2005,” the company said “the issue hasbeen fixed” and assured administrators that the passwords remained in itssecure encrypted infrastructure.
“The problem is we often don’t know the full extent of an issuelike this for years to come. That means, when G Suite users are logging intotheir accounts, we want to believe, really believe, that they are thelegitimate account owners,” said RobertPrigge, president of Jumio. “But, at the end of the day, we don’t knowfor sure. And the weakest link in the security chain is again Google’s username and password.” That’s a paradigm, he said,companies like Google must evolve beyond.
As it was troubleshooting the sign-up flows for the new G Suitecustomer, Google also found that in January it “had inadvertently stored asubset of unhashed passwords in our secure encrypted infrastructure…for a maximumof 14 days,” the blog post said. That issue has since been resolved and thecompany has found “no evidence of improper access to or misuse of the affectedpasswords.”
The tech giant said it will continue to conduct security auditsto ensure that the incident was isolated.
But Gosschalk called for enterprises to constantly re-evaluate andtest “their security measures to make sure lapses in security or, in thisinstance, a faulty password setting and recovery offering, does not jeopardizeits customers or their accounts.”