In a blog post today, Google announced that a bug was recently discovered that resulted in some parts of G Suite users storing their passwords in plain text. The error has occurred since 2005. According to Google, however, no indication can be found that the password of another user was not properly accessed. Resetting potentially affected passwords and informing G Suite administrators about the problem.
G Suite is the corporate version of Google Mail and other Google apps, and apparently the defect in this product has occurred because of a feature designed specifically for this product. Previously, your G Suite app company administrator could set user passwords manually ̵
Google's post has been working hard to explain how cryptographic hashing works, probably to make sure that the nuances surrounding it are clear. Although the passwords were stored in plain text format, they were stored in at least plain text format on Google's servers, making them more difficult to find than if they were on the open Internet. Although Google did not explicitly say so, it also looks like it wants to make sure that people do not classify this bug in the same category as other plain language passwords that leak those passwords.
And oh, there were so many of them, as Wired states. Twitter advised all 330 million of its users to change their passwords in March due to a violation. Facebook saved "hundreds of millions" of passwords in plain text, allowing up to 20,000 of its employees to access it. Instagram had to admit that the violation of Facebook had actually affected millions of Instagram users (not the previously announced smaller number).
Google did not accurately describe how many users were affected by this bug except that it was "a subset of our Enterprise G Suite customers" – presumably anyone using G Suite in 2005 could not prove it find that someone had used this access maliciously. It is also not very clear who would have had access to these plain text files.
In any case, the issue is now resolved, and Google regrets this in its post:
We take the security of our corporate customers very seriously and are proud to push ahead with industry best practices for account security. Here we have not met our own claims and those of our customers. We apologize to our users and will do better.