searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
May 22, 2019
Share

Google has been storing unhashed G Suite customer passwords

Google has discovered that it has been storing some G Suite users’ passwords in clear text and is notifying G Suite administrators that it will force a password change if the affected passwords haven’t been changed in the meantime.

What happened?

Google discovered two separate issues, both of which affect only business users.

The first arose in 2005, due to a legacy function that enabled G Suite Domain Admins to view user passwords:

G Suite passwords

The second is more recent.

“As we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days,” Suzanne Frey, VP of Engineering at Google, explained.

But, she made sure to note, that in both cases the un-hashed passwords were stored in Google’s encrypted internal systems and that they “have seen no evidence of improper access to or misuse of the affected passwords.”

Email from #GSuite stating, that GSuite admin password was saved plaintext, at keast for some accounts. If you have registered GSuite account between Jan 13 – May 9 2019, it’s a good time to re-check all security settings. pic.twitter.com/WhR49yYSzb

— Ruben Muradyan (@RubenMuradyan) May 22, 2019

The situation is reminiscent of Facebook’s recent revelation that the company has been storing plain text password of hundreds of millions of Facebook users and that those were accessible to more than 20,000 Facebook employees for years.

While the security risk accompanying Google’s issues was not huge – attackers would have had to breach Google’s infrastructure AND find the decryption keys for the stored passwords – Frey has apologized and promised the company will do better in the future.

More about
  • account protection
  • cybersecurity
  • enterprise
  • G Suite
  • Google
  • passwords
Share this

Featured news

  • Cl0p announces rules for extortion negotiation after MOVEit hack
  • AI: Interpreting regulation and implementing good practice
  • 20 cybersecurity projects on GitHub you should check out
Spin Up A CIS Hardened Image

Sponsored

The best defense against cyber threats for lean security teams

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

Don't miss

Cl0p announces rules for extortion negotiation after MOVEit hack

AI: Interpreting regulation and implementing good practice

20 cybersecurity projects on GitHub you should check out

The evolution of DDoS attacks in 2023

0mega ransomware gang changes tactics

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us