It happened again: Google announced today that it is the latest technology company to accidentally store user passwords unprotected in plain text. G Suite users, watch out.
Google states that the error has affected "a small percentage of G Suite users". This means that it does not affect individual consumer accounts but some business and corporate accounts that have their own risks and sensitivities. The company typically stores passwords on its servers in a cryptographically encrypted state called a hash. However, a bug in the password recovery feature of G Suite for administrators caused unprotected passwords to be stored in the infrastructure of a control panel called the Administrator Console. Google disabled the features that contained the bug.
Previously, the passwords were accessible to authorized Google employees or malicious intruders. The administrator of each organization could also have access to the clear-text passwords for the account holders in their group.
"The fact that this exists since 2005 and has not been captured is worrying."
David Kennedy, TrustedSec
Twitter and Facebook have fixed their own plaintext password errors over the last 1
The bug from Google exists since 2005 – a year before "Google For Work" was officially offered. And while the company emphasizes that there is no evidence that the plaintext passwords were ever accessed or misused, 14 years is a long time in which sensitive data hangs unnoticed.
"Our authentication systems work with many levels of security beyond the password, and we use numerous automated systems that block malicious login attempts, even if the attacker knows the password," wrote Suzanne Frey, vice president of engineering at Google blog post. "In addition, we provide G Suite administrators with numerous 2-step verification (2SV) options … We take the security of our corporate customers very seriously and are proud to drive industry-proven account security practices, as we have done do not meet our own standards. "
Google is currently notifying G Suite administrators, indicating that affected passwords that have not yet been changed will automatically be reset. The company discovered the error in plain text passwords in April and May as part of its investigation. The latter accidentally saved plain text passwords to new G Suite customers when they completed their signup. This error did not take effect until January 2019, and these unencrypted passwords were only stored for a maximum of 14 days. Google claims to have fixed both the plain text error in the main admin console and the newer login issue issue.
"Google can usually look back on a good track record when it comes to finding and fixing bugs quickly in 2005 and not getting caught worrying," says David Kennedy, CEO of Enterprise Penetration Testing firm TrustedSec. "We've seen this on Twitter, Facebook, and many other organizations where legacy processes or applications are exposing plain-text passwords internally, and even if they're just internal passwords, there's still a significant security and privacy issue. "
Affected passwords that have not yet been changed will be automatically reset by Google. You should focus on adding two-factor authentication to your G Suite account if you do not already have it. Maybe keep your fingers crossed that these passwords went unnoticed for 14 years.
More Great WIRED Stories