Published on May 22nd, 2019 📆 | 7327 Views ⚑
0Google stored some passwords in plain text for fourteen years
In a blog post today, Google disclosed that it recently discovered a bug that caused some portion of G Suite users to have their passwords stored in plain text. The bug has been around since 2005, though Google says that it canât find any evidence that anybodyâs password was improperly accessed. Itâs resetting any passwords that might be affected and letting G Suite administrators know about the issue.
G Suite is the corporate version of Gmail and Googleâs other apps, and apparently the bug came about in this product because of a feature designed specifically for companies. Early on, it was possible for your company administrator for G Suite apps to set user passwords manually â say, before a new employee came on board â and if they did, the admin console would store those passwords in plain text instead of hashing them. Google has since removed that capability from administrators.
Googleâs post goes to great pains to explain how cryptographic hashing works, likely in an effort to make sure the nuances surrounding this bug are clear. Though the passwords were stored in plain text, they were at least stored in plain text inside Googleâs servers, so theyâd be harder to get to than if they were just out on the open internet. Although Google didnât say so explicitly, it seems like it wants to also make sure people donât lump this bug in the same category as other plain text password problems where those passwords have leaked out.
And oh, there have been so many of those, as Wired notes. Twitter advised all 330 million of its users to change passwords back in March due to a breach. Facebook stored âhundreds of millionsâ of passwords in plain text in a way where up to 20,000 of its employees could have accessed them. Instagram had to fess up that Facebookâs breach had actually affected millions of Instagram users (not the previously disclosed smaller number).
For its part, Google didnât characterize just how many users might have been affected by this bug beyond saying it affected âa subset of our enterprise G Suite customersâ â presumably anybody who was using G Suite in 2005. And though Google couldnât find evidence that anybody used this access maliciously, itâs not entirely clear who would have had access to these plain text files either.
In any case, itâs fixed now and Google is appropriately sorry in its post about the whole issue:
We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industryâs best practices for account security. Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better.
Gloss