22 May 2019
Twitter did it. Facebook did it. Now Google’s done it.
Google revealed Tuesday in a blog post that it accidentally stored its users’ passwords unprotected in plain text. For fourteen years, any Google employee with access to the Google internal servers could read them. G Suite, previously known as Google Apps and mainly a business version of everything Google offers, had a bug in its password recovery feature that mistakenly stored unhashed passwords for some of its enterprise users.
The flaw resided in a manual password reset feature that allowed administrators to help onboarding employees or account recovery efforts without actually knowing any previous passwords. “We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password,” Google says. “To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed, and we have seen no evidence of improper access to or misuse of the affected passwords.”
Google went on to say that only the G Suite apps for businesses were affected. Impacted G Suite administrators were notified, requesting a user reset of passwords. Google will do an automatic forced reset for users who do not comply themselves citing “an abundance of caution.”