Search giant Google has recently disclosed that it has discovered an issue whereby a number of G Suite users have had their passwords being stored in plain text format.
According to the company, which announced the discovery in a blog post earlier this week, the problem has been around for over a decade, since 2005. However, Google does not believe that any of the passwords were inappropriately accessed after finding no evidence for this to be the case. As a result of the discovery, the company will be resetting any of the passwords that may have been compromised as well as informing G Suite administrators about the issue.
Google did not state how many passwords were being stored this way, but did say it has affected a subset of customers. This could presumably be anyone that was using the service back in 2005. Furthermore, whilst there was no evidence of malicious access, it is not clear as to who would have had access to these passwords in the first place.
G Suite is the company’s corporate version of Gmail and many other of its services, and it is believed that the error came about within this service because of a feature that was designed specifically for use by businesses.
Earlier in G Suite’s existence, users were able to manually set user passwords for their businesses in situations such as in readiness for a new employee starting, and once the password was set, the admin console would then store that password in plain text rather than hashing it. Since the discovery, Google has now removed that ability from administrators.
In the blog post, Google goes to great length to explain the ins and outs of cryptographic hashing and how it works, possibly in an effort to reassure users that the nuances around this bug have been cleared.
Although passwords were stored in plain text format, they were stored inside Google’s own servers, meaning that it would be harder to get to them than if they were stored on the open internet. While Google didn’t explicitly say this, it seems that the company wants to make sure this incident is not lumped into the same pile as other password bugs that were leaked after being stored online.
Google has issued an apology for this error, stating that it did not live up to its own standards, reiterating that it takes the security of its customers extremely seriously.
- Chrome to warn users regarding insecure web forms - August 20, 2020
- Google trials virtual business cards in India - August 14, 2020
- DuckDuckGo claims Google market share would drop if users given choice - August 11, 2020