Google joins the likes of Facebook and Twitter of being the culprits who stored passwords in plaintext. This privacy mishap affected some of its G Suite accounts including business and corporate accounts. Individual G Suite consumer accounts and free Google accounts have not been affected. Google has already alerted G Suite admins about this issue.
For its enterprise accounts in G Suite, Google offered IT admins tools to create and recover passwords of employees. Google said that they had made an error implementing the password recovery function back in 2005 where the admin would store a copy of the unhashed password.
This security bug left some passwords in readable plaintext but Google assures its users that these passwords never left their secure encrypted infrastructure. The passwords would have been accessible to authorized Google personnel, malicious interlopers or the company’s admins themselves.
Google has since disabled the features that contained the bug in the admin console. The tech giant continues saying that there’s no cause for alarm since there’s no evidence of improper access to or misuse of the affected passwords.
In a blog post, Google VP of engineering, Suzanne Frey writes that even though 14 years is a long time for data to hang around, Google already has authentication systems that operate with many layers of defense beyond the password including automatic systems that block malicious sign-ins attempts even when the attacker has the password. GSuite admins are provided with two-step verification options. She concludes by taking the blame saying Google didn’t live up to their own standards.
Google has already alerted G Suite admins by emailing them a list of the impacted users that should set a new password. Google will auto-reset the impacted passwords that haven’t already been changed. Another security step you can do is add two-factor authentication to your G Suite account.