searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
May 22, 2019
Share

Google has been storing unhashed G Suite customer passwords

Google has discovered that it has been storing some G Suite users’ passwords in clear text and is notifying G Suite administrators that it will force a password change if the affected passwords haven’t been changed in the meantime.

What happened?

Google discovered two separate issues, both of which affect only business users.

The first arose in 2005, due to a legacy function that enabled G Suite Domain Admins to view user passwords:

G Suite passwords

The second is more recent.

“As we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days,” Suzanne Frey, VP of Engineering at Google, explained.

But, she made sure to note, that in both cases the un-hashed passwords were stored in Google’s encrypted internal systems and that they “have seen no evidence of improper access to or misuse of the affected passwords.”

Email from #GSuite stating, that GSuite admin password was saved plaintext, at keast for some accounts. If you have registered GSuite account between Jan 13 – May 9 2019, it’s a good time to re-check all security settings. pic.twitter.com/WhR49yYSzb

— Ruben Muradyan (@RubenMuradyan) May 22, 2019

The situation is reminiscent of Facebook’s recent revelation that the company has been storing plain text password of hundreds of millions of Facebook users and that those were accessible to more than 20,000 Facebook employees for years.

While the security risk accompanying Google’s issues was not huge – attackers would have had to breach Google’s infrastructure AND find the decryption keys for the stored passwords – Frey has apologized and promised the company will do better in the future.

More about
  • account protection
  • cybersecurity
  • enterprise
  • G Suite
  • Google
  • passwords
Share this

Featured news

  • Attackers are searching for online store backups in public folders. Can they find yours?
  • Released: Decryptor for Cl0p ransomware’s Linux variant
  • Balancing risk and security tradeoffs
Guide: How virtual CISOs can efficiently extend their services into compliance readiness

Sponsored

How to scale cybersecurity for your business

eBook: 4 ways to secure passwords, avoid corporate account takeover

2022 Cloud Data Security Report

Don't miss

Attackers are searching for online store backups in public folders. Can they find yours?

Released: Decryptor for Cl0p ransomware’s Linux variant

Balancing risk and security tradeoffs

India-China relations will define the IoT landscape in 2023

How to scale cybersecurity for your business

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us