Google has admitted an error it made 14 years ago meant it was storing passwords of some G Suite customers in the clear for over a decade.
The issue only affects “some” G Suite customers and does not affect users of Gmail or other free consumer Google accounts. However, Google has not provided an estimate of how many users were impacted.
Google notes that while the passwords were not hashed using a cryptographic algorithm, they were stored on its encrypted internal systems.
Google’s password problem is similar, albeit on a much smaller scale, to Facebook’s password protection blunder it admitted to in March. Facebook said that “hundreds of millions” of user passwords were stored in the clear on its internal systems after conducting a security review in January. Facebook said it found no evidence that any of its 20,000 employees had access the passwords.
Google goes into detail about the purpose of using a one-way hashing algorithm to protect passwords. To protect passwords, including from staff at the service provider, organizations can use a hashing algorithm to convert a user password into a random string of characters.
The one way function makes it easy to scramble the plaintext password but difficult to unscramble, helping protect it in the event of a data breach.
When users type in a password, the hashing algorithm scrambles it in the same way it did when the password was created. If the result of the typed password matches the original hash, the user can sign in with a password that they know without the service provider learning it.
According to Suzanne Frey, VP of engineering and Cloud Trust, Google engineers made an error in 2005 when implementing a feature that allowed G Suite domain admins to set and recover their users’ passwords. Admins could use the admin console to upload or manually set user passwords for their users. The password recovery feature no longer exists.
“The admin console stored a copy of the unhashed password,” explained Frey. “This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”
Google also discovered that from January 2019 it stored “a subset of unhashed passwords” in its secure encrypted systems. The unscrambled passwords were stored there for up to 14 days. This issue was also fixed.
Frey said Google had no evidence of improper access or misuse of the affected passwords.
Google will reset accounts that were affected by the password issue and says it has notified G Suite admins of the impacted passwords.