A bug in Google’s G Suite left the passwords of some users stored in plain text for the past 14 years, though the company doesn’t believe the information was accessed by unauthorised third parties.
"We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed," Google said in a blog post, stressing that the issue only affects business users, not consumers.
"We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials," said the company, which is currently working with enterprise administrators to make sure they compel users to reset passwords.
Google typically hashes passwords, but a glitch in a tool in 2005 that let domain administrators upload or manually set passwords for users to aid in the onboarding and recovery processes left some passwords stored in plain text.
"It’s concerning that Google just discovered that G Suite passwords were stored in plaintext since 2005," said Kevin Gosschalk, CEO, Arkose Labs, noting that with more than five million G Suite enterprise customers. "This mistake should have been recognised and prevented fourteen years earlier with proactive, ongoing security testing."
Admitting it "made an error when implementing this functionality back in 2005," the company said "the issue has been fixed" and assured administrators that the passwords remained in its secure encrypted infrastructure.
"The problem is we often don’t know the full extent of an issue like this for years to come. That means, when G Suite users are logging into their accounts, we want to believe, really believe, that they are the legitimate account owners," said Robert Prigge, president of Jumio.
"But, at the end of the day, we don’t know for sure. And the weakest link in the security chain is again Google’s username and password," he added. According to him, that’s a paradigm companies like Google must evolve beyond.
Google is not the only global tech and media company to have experienced this issue.
Earlier this year, Facebook acknowledged that hundreds of millions of user account passwords were stored in plain text, searchable by thousands of Facebook employees. Twitter in May 2018 urged all of its users to immediately change their passwords after a bug exposed them in plain text.
"If such big companies with large security budgets and staff have had experienced this, what hope is there for the rest of us?" asked Sarb Sembhi, chief technology officer at Virtually Informed.
As it was troubleshooting the sign-up flows for the new G Suite customer, Google also found that in January it "had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure…for a maximum of 14 days," the blog post said. That issue has since been resolved and the company has found "no evidence of improper access to or misuse of the affected passwords."
The tech giant said it will continue to conduct security audits to ensure that the incident was isolated.
"It seems that Google is admitting to a lapse in security, but not to a data breach, therefore there is no need to notify any authority in any jurisdiction," said Sembhi.
According to Gosschalk, enterprises should constantly re-evaluate and test their security measures "to make sure lapses in security or, in this instance, a faulty password setting and recovery offering, does not jeopardise its customers or their accounts."
The original version of this article was published on SC Media US.