Google Admits To Storing Unhashed Passwords

My bad. Google admission after it stored plain text passwords for 14 years on its internal systems

Google has admitted that it has stored some unhashed G Suite enterprise accounts passwords on its systems for approximately fourteen years.

The seriousness of the privacy gaffe was lessened after Google confirmed it didn’t affect consumers, and that “some passwords were stored in our encrypted internal systems unhashed.”

The admission bears a remarkable similarity to Facebook, which admitted in March that it had stored “hundreds of millions” of passwords in plaintext, unprotected by any form of encryption whatsoever.

Fourteen years

The ‘good news’ for Facebook was that the unprotected passwords were stored on Facebook’s internal servers that could only be accessed by 20,000 staff members.

And it seems to be a similar story for Google after Suzanne Frey, VP of Engineering, Cloud Trust at the search engine giant admitted in a blog post that it had just discovered a long running password mistake associated with some of its G Suite Enterprise accounts (the business suite of Google services).

“Google’s policy is to store your passwords with cryptographic hashes that mask those passwords to ensure their security,” blogged Frey. “However, we recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed.”

“This is a G Suite issue that affects business users only – no free consumer Google accounts were affected – and we are working with enterprise administrators to ensure that their users reset their passwords,” said Frey. “We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials.”

Frey explained how Google had allowed domain administrators in its enterprise product (G Suite) to upload or manually set user passwords for their company’s users t help with account recovery and setting up new users.

“We made an error when implementing this functionality back in 2005,” Frey admitted. “The admin console stored a copy of the unhashed password. This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”

Unhashed passwords

Frey said that had notified G Suite administrators to change those impacted passwords.

“Out of an abundance of caution, we will reset accounts that have not done so themselves,” she added.

Google is not the only guilty part over the years.

In May 2018 for example, Twitter urged all users to change their passwords after a “bug” meant that people’s passwords had been stored “unmasked in an internal log.”

Do you know all about security? Try our quiz!