Google Failed To Fully Secure G Suite Passwords For 14 Years

Ruben Fields
May 23, 2019

Google today revealed that a bug in an old G Suite tool has resulted in the company storing customer passwords in an unhashed - but encrypted - form for almost 14 years, between 2005 and 2019. The issue, which only affected a portion of enterprise G Suite users, has been around since 2005.

But, she made sure to note, that in both cases the un-hashed passwords were stored in Google's encrypted internal systems and that they "have seen no evidence of improper access to or misuse of the affected passwords".

The blog post read: "To be clear, these passwords remained in our secure encrypted infrastructure".

It is to be noted that the bug affected Google's enterprise G Suite customers and those having free consumer Google accounts need not worry. "This practice did not live up to our standards", she added.

"We recently notified G Suite administrators to change those impacted passwords. We apologize to our users and will do better", concluded the blog.

Huawei founder: U.S. government 'underestimated our power'
Huawei has since responded to the ban, saying that they'll continue to issue updates and provide after-sales service. Google will cut off its services for Huawei under the ban of the US government, with a 90-day temporary reprieve.

In a blogpost published on Tuesday (21 May), the company's VP of engineering and cloud trust, Suzanne Frey, explained that the company uses cryptographic hashes to mask stored passwords.

Earlier in May, another security flaw was identified by Google while troubleshooting the new customer sign-up feature of G Suite. At that time, the admin console of enterprise accounts stored a copy of unhashed passwords.

There was no indication that any of the passwords were misused, Google said, which means resetting the accounts would mostly be a precautionary measure.

In brief: After Facebook and Twitter admitted to the same thing, Google says it has also found a bug that caused it to store some passwords in plain text. The problem was that since January 2019, the new G Suite stored a subset of passwords in an unhashed form on its internal systems but the maximum duration of storing the subsets was no more than two weeks. Moreover, Google has also notified data protection regulators about the security lapse.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER