Google Stored Unhashed G Suite Passwords for Over a Decade

Google missed a spot when securing passwords for some of its business customers, accidentally storing them in plain text for 14 years.

The issue was traced to 2005 and impacts G Suite users only. It was caused by an error in the implementation of the antiquated feature for manually setting and recovering passwords.

Outdated feature and implementation error

G Suite administrators had access to a console that allowed them to set up accounts for new users in the company. Typically, passwords were hashed before storing them on Google's infrastructure.

Hashing is a one-way operation that cannot be reversed. When users provide the password, the data is hashed and the result compared with what's in store. If there is a match, then it means that the password is correct and access is granted.

In a notification today, Google vice president of engineering Suzanne Frey says that the implementation error led to storing an unhashed copy of the password on Google's systems.

The company highlights that despite the slip-up, the sensitive info remained on its encrypted infrastructure and there was no indication of improper access or misuse. The issue has been fixed.

Similar event discovered recently

Google's notification also informs of a second incident that occurred in January 2019, when unhashed passwords were again discovered on its encrypted infrastructure.

"In addition, as we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure," said Frey.

In this case, the data remained in its less secure form for a period of 14 days. This issue was also fixed and with no evidence of improper access or misuse.

Google alerted the G Suite administrators impacted by the incidents to change the affected passwords. If this does not happen, accounts that have not complied to the request will be automatically reset.

"Our authentication systems operate with many layers of defense beyond the password, and we deploy numerous automatic systems that block malicious sign-in attempts even when the attacker knows the password," Frey added.

A G Suite account provides access to a number of Google services, including Gmail, Docs, Drive. The two incidents should not give affected customers too much reason to fret about. Although unhashed, the sensitive data was stored on Google's encrypted infrastructure so an attacker would have to pass the security layers around it.