Google Stored Users’ Passwords In Plaintext

Google has revealed that some of its enterprise customers had their passwords stored on its systems in plaintext.

The tech giant announced on Tuesday (May 21) that the bug affected “a small percentage of G Suite users,” so it did not impact individual consumer accounts, but affected some corporate accounts. Google is working with enterprise administrators to ensure that users reset their passwords, and has been investigating the incident. So far, the company claims there is no evidence of improper access to or misuse of the affected credentials.

“We recently notified G Suite administrators to change those impacted passwords. Out of an abundance of caution, we will reset accounts that have not done so themselves. Our authentication systems operate with many layers of defense beyond the password, and we deploy numerous automatic systems that block malicious sign-in attempts, even when the attacker knows the password. In addition, we provide G Suite administrators with numerous 2-step verification (2SV) options, including Security Keys, which Google relies upon for its own employee accounts,” wrote Google VP of Engineering Suzanne Frey in a blog post.

While passwords are typically scrambled via a hashing algorithm, G Suite administrators can manually upload, set and recover new user passwords. The company discovered last month that the way it implemented password settings and recovery for its enterprise offering in 2005 was incorrect, and improperly stored a copy of the password in plaintext. It has since removed the feature.

“To be clear, these passwords remained in our secure encrypted infrastructure,” said Frey. “This issue has been fixed, and we have seen no evidence of improper access to or misuse of the affected passwords.”

Google said it also discovered a second security lapse earlier this month, improperly storing “a subset” of unhashed G Suite passwords on its internal systems for up to two weeks. The company said the systems were only accessible to a limited number of authorized Google staff.

“This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords,” said Frey.