A virus in Google’s G Suite left the passwords of some users to be stored in plaintext for the past 14 years, though the company doesn’t think the information was retrieved by unauthorized third parties.
In a blog post, the tech giant said: “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed.”
The company further said that it “had been conducting a full probe and had seen no evidence of inappropriate access to or misuse of the affected G Suite credentials.
Google archetypally hashes passwords but a malfunction in a tool in 2005 that allows domain administrators to upload or manually set passwords for users to support the onboarding and recovery processes left some passwords stored in plaintext.
“It’s concerning that Google just discovered that G Suite passwords were stored in plaintext since 2005,” said Kevin Gosschalk, CEO, Arkose Labs, noting that with more than five million G Suite enterprise customers, “this mistake should have been recognized and prevented fourteen years earlier with proactive, ongoing security testing.”
Google admitted it made a mistake when applying this functionality back in 2005, but said the issue had been fixed, assuring administrators that the passwords remained in its secure encrypted infrastructure.
Robert Prigge, president of Jumio, said: “The problem is we often don’t know the full extent of an issue like this for years to come. That means, when G Suite users are logging into their accounts, we want to believe, really believe, that they are the legitimate account owners.” “But, at the end of the day, we don’t know for sure. And the weakest link in the security chain is again Google’s username and password.” That’s a paradigm, he said, companies like Google must evolve beyond.
As it was troubleshooting the sign-up flows for the new G Suite customer, Google also discovered that in January it had unintentionally stored a subset of unhashed passwords in its secure encrypted infrastructure for 14 days. It added that the issue had since been fixed and the company had found “no evidence of improper access to or misuse of the affected passwords.”
The tech behemoth said it will continue to conduct security audits to ensure that the incident was isolated.
But Gosschalk called for companies to continually re-evaluate and test “their security measures to make sure lapses in security or, in this instance, a faulty password setting and recovery offering, does not jeopardize its customers or their accounts.”