Google has admitted that some of its business customers of G Suite (formerly known as Google Apps) had their passwords stored on the company’s internal servers for 14 years in plaintext.
Although Google says it has seen “no evidence of improper access to or misuse of” the sloppily-stored credentials, the tech giant says it is contacting affected users to ensure that passwords are reset.
In a blog post Google admits that way back in 2005 it made a mistake when coding a password recovery feature in the G Suite admin console which caused unscrambled plaintext passwords to be stored on its servers.
That goof means that any Google employee who had access to the servers where the unprotected passwords were stored could have accessed the highly sensitive credentials.
As Google’s blog post succinctly describes the situation:
“This practice did not live up to our standards.”
Google says it has now fixed the bug, and is keen to emphasise that it was only G Suite enterprise customers whose passwords may have been put at risk, not consumers.
It turns out, however, that Google’s password storage problems didn’t stop there, as it has also admitted it introduced another problem earlier this year:
“In addition, as we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days. This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords.”
Google says it has notified administrators to change impacted passwords, and “out of an abundance of caution” will reset accounts that have not done so.
What Google hasn’t said is just how many of its corporate clients have been impacted by the issue, only stating that “a subset of [its] enterprise G Suite customers” are affected.
Hmm. A “subset” could mean any percentage between one and 99% of G Suite’s over five million business customers. One can only assume that Google doesn’t want to give a figure because it fears it will look bad, and compound the damage already done to its credibility by this embarrassing security faux pas.
Of course, it should go without saying that if you feel the need to change the passwords for your company’s Google accounts make sure that you also use the opportunity to ensure that you are not using the same passwords anywhere else on the internet.
On the theme of enhancing your company’s security, don’t turn a blind eye to the benefits – recently underlined by Google itself – of the proven security benefits of having additional layers of security such as two-step verification.