After Facebook and Twitter, Google becomes the latest technology giant to have accidentally stored its users’ passwords unprotected in plaintext on its servers—meaning any Google employee who has access to the servers could have read them.
In a blog post published Tuesday, Google revealed that its G Suite platform mistakenly stored unhashed passwords of some of its enterprise users on internal servers in plaintext for 14 years because of a bug in the password recovery feature.
G Suite, formerly known as Google Apps, is a collection of cloud computing, productivity, and collaboration tools that have been designed for corporate users with email hosting for their businesses.
It’s basically a business version of everything Google offers.
The flaw, which has now been patched, resided in the password recovery mechanism for G Suite customers that allows enterprise administrators to upload or manually set passwords for any user of their domain without actually knowing their previous passwords in order to help businesses with on-boarding employees and for account recovery.
If the admins did reset, the admin console would store a copy of those passwords in plain text instead of encrypting them, Google revealed.
“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password,” Google says.
However, Google also says that the plain text passwords were stored not on the open Internet but on its own secure encrypted servers and that the company found no evidence of anyone’s password being improperly accessed.
“This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure,” Google says. “This issue has been fixed, and we have seen no evidence of improper access to or misuse of the affected passwords.”
Google also clarifies that the bug was restricted to users of its G Suite apps for businesses and that no free version of Google accounts like Gmail were affected.
Though the company did not disclose how many users might have been affected by this bug beyond just saying the issue affected “a subset of our enterprise G Suite customers,” with more than 5 million G Suite enterprise customers, the bug could affect a large number of users — presumably any user who used G Suite in last 14 years.
In order to address the issue, Google has since removed the capability from G Suite administrators and emailed them a list of impacted users, asking them to ensure that those users reset their passwords.
Google says the company would be automatically resetting passwords for those users who do not change their passwords.
“Out of an abundance of caution, we’ll reset accounts that have not done so themselves,” the tech giant says.
Google is the latest tech company to accidentally store unhashed passwords on its internal servers. Recently, Facebook was in the news for storing plaintext passwords for hundreds of millions of its users, both Instagram and Facebook, on its internal servers.
Almost a year ago, Twitter also reported a similar security bug that unintentionally exposed passwords for its 330 million users in readable text on its internal computer system.