G Suite users’ passwords stored in plain-text for more than 14 years

Google accidentally stored the passwords of its G Suite users in plain-text for 14 years allowing its employees to access them.

The news is disconcerting, Google has accidentally stored the passwords of the G Suite users in plain-text for 14 years, this means that every employee in the company was able to access them.

According to the tech giant, the incident was caused by a bug in the password recovery mechanism and only business users were affected.

“However, we recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed.” reads a blog post published by the company. “This is a G Suite issue that affects business users only–no free consumer Google accounts were affected–and we are working with enterprise administrators to ensure that their users reset their passwords. “

The G Suite (aka Google Apps) includes cloud computing, productivity and collaboration tools, it is widely adopted by business users, Google already addressed the bug by removing the capability from G Suite administrators.

The bug resides in the password recovery mechanism for G Suite customers that allows enterprise administrators to upload or manually set passwords for any user of their domain without the knowledge of their previous passwords. The procedure could be used to set the password for newcomers employees and for account recovery.

Google admitted that if the admins reset the password, the admin console would store the passwords in plain text on google servers.

Google investigated the problem and confirmed that it has no evidence of improper access to or misuse of the affected G Suite credentials.

“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure.” continues Google. ” This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”

Google attempted to reassure users explaining that even if the passwords were stored in plain text passwords they were stored on internal secure encrypted servers that were not accessible for the open Internet.

At the time Google did not reveal how many users might have been impacted, but we have to consider that currently, G Suite has 5 million enterprise customers potentially at risk.

The company notified the incident to the impacted business users via and asked them to reset their passwords, it also announced that will automatically reset passwords for users who do not change their passwords.

Google isn’t the only tech giant that accidentally store plain text passwords on its internal servers. Recently, Facebook revealed a similar incident that affected its users and Instagram users.

In 2018, Twitter asked more than 330 million users to change their passwords after a bug exposed them in plain text on internal systems.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

May 23, 2019

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...