Google announced today that it’s the latest tech giant after Facebook and Twitter to have accidentally stored user passwords unprotected in plaintext. G Suite users, pay attention.
“Our authentication systems operate with many layers of defense beyond the password, and we deploy numerous automatic systems that block malicious sign-in attempts even when the attacker knows the password,” Google vice president of engineering Suzanne Frey wrote in a blog post. “In addition, we provide G Suite administrators with numerous two-step verification (2SV) options. … We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security. Here we did not live up to our own standards.”
Google says that the bug affected “a small percentage of G Suite users,” meaning it does not impact individual consumer accounts, but does affect some business and corporate accounts, which have their own risks and sensitivities. The company typically stores passwords on its servers in a cryptographically scrambled state known as a hash. But a bug in G Suite’s password recovery feature for administrators caused unprotected passwords to be stored in the infrastructure of a control panel, called the admin console. Google has disabled the features that contained the bug.
Before it did so, the passwords would have been accessible to authorized Google personnel or malicious interlopers. Each organization’s administrator could have also accessed the plaintext passwords for the account holders within their group.
Twitter and Facebook have dealt with plaintext password bugs of their own in the past 18 months. Google’s bug, meanwhile, has existed since 2005—a year before “Google For Work” even became an official offering. And while the company emphasizes that it has no evidence that the plaintext passwords were ever accessed or abused, 14 years is a long time for sensitive data to hang around unnoticed.