A bug in Google's G Suite left the passwords of some users to be stored in plain text for the past 14 years, though the company doesn’t believe the information was accessed by unauthorized third parties.
“We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” Google said in a blog post, stressing that the issue only affects business users, not consumers.
“We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials,” said the company, which is currently working with enterprise administrators to make sure they compel users to reset passwords.
Google typically hashes passwords but a glitch in a tool in 2005 that let domain administrators to upload or manually set passwords for users to aid in the onboarding and recovery processes left some passwords stored in plain text.
“It’s concerning that Google just discovered that G Suite passwords were stored in plaintext since 2005,” said Kevin Gosschalk, CEO, Arkose Labs, noting that with more than five million G Suite enterprise customers, “this mistake should have been recognized and prevented fourteen years earlier with proactive, ongoing security testing.”
Admitting it “made an error when implementing this functionality back in 2005,” the company said “the issue has been fixed” and assured administrators that the passwords remained in its secure encrypted infrastructure.
“The problem is we often don't know the full extent of an issue like this for years to come. That means, when G Suite users are logging into their accounts, we want to believe, really believe, that they are the legitimate account owners,” said Robert Prigge, president of Jumio. “But, at the end of the day, we don't know for sure. And the weakest link in the security chain is again Google's username and password.” That’s a paradigm, he said, companies like Google must evolve beyond.
As it was troubleshooting the sign-up flows for the new G Suite customer, Google also found that in January it “had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure…for a maximum of 14 days,” the blog post said. That issue has since been resolved and the company has found “no evidence of improper access to or misuse of the affected passwords.”
The tech giant said it will continue to conduct security audits to ensure that the incident was isolated.
But Gosschalk called for enterprises to constantly re-evaluate and test “their security measures to make sure lapses in security or, in this instance, a faulty password setting and recovery offering, does not jeopardize its customers or their accounts.”