Google stored G Suite passwords as plain text since 2005

Google has been storing G Suite passwords in plain text for 14 years

G Suites Enterprises customers got notified that their passwords got stored for 14 years in plaintext. Google reports that a small number of the G Suite enterprise customers' passwords has been stored on their system in plaintext for 14 years.^[1] The exposure was disclosed in the blog post, posted on May 22nd.^[2] Officials have failed to report how many customers got affected by this. However, they claim that the flaw has already been patched.^[3]

According to Google vice president of engineering, Suzanne Frey, some of the stored passwords were found unhashed, meaning that Google employees having access to the servers could have read them:

We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed.

Typically, passwords are stored using the hashing algorithm, so employees cannot read them. G Suite administrators can manually upload and set, or recover new user passwords for company users. However, in April, Google discovered that the way passwords are set and recovered has been faulty since 2005 – the password copies were stored in plain text instead of scrambled form.

The second security flaw discovered while fixing the first one

The initial report is stating that authorities have already launched an investigation showing no evidence about the improper usage of such credentials:

We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials.

However, during the troubleshooting of the new G Suite customer sign-ups this month, the company discovered another security issue. It was discovered that, starting with January, unhashed passwords were stored on their internal system for two weeks. According to Google, the system was accessible to authorized Google staff only.

The company notified G Suite administrators to help reset account passwords for those who haven't done that yet. Google also reported the exposure of such data to data protection regulators. While the incident is not affecting Gmail customer accounts, it has been announced that business users of G Suite applications are in danger.

Unfortunate events of companies storing unhashed passwords

Google is not the only nor the first company that stored unhashed passwords of customers on their internal servers accidentally. Last year, Twitter discovered a bug leading to 336 million users' passwords stored in plaintext.^[4] This year, another social media giant, Facebook, disclosed the issue with users' passwords. In this case, hundreds of millions of user data of Facebook and Instagram social platforms were stored on an internal server, also in plaintext.^[5]

Google removed the capability of resetting and recovering passwords from G Suite administrators and emailed them to inform impacted users about the case to ensure they are setting their passwords right and taking other precautionary measures. Having in mind that G Suite enterprise has more than 5 million customers, this flaw can affect a large number of them. It is possible that the incident has impacted anyone using the application since 2005.

There are no specific details disclosed by the company, but the security consultant Dave Kennedy from TrustedSec said that it is hard to say what was the reason for such incidents since the report from Google was so unclear. It is possible that the attacker had access to running applications or even the system.