Google has been storing unhashed G Suite customer passwords

Google has discovered that it has been storing some G Suite users’ passwords in clear text and is notifying G Suite administrators that it will force a password change if the affected passwords haven’t been changed in the meantime.

What happened?

Google discovered two separate issues, both of which affect only business users.

The first arose in 2005, due to a legacy function that enabled G Suite Domain Admins to view user passwords:

The second is more recent.

“As we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days,” Suzanne Frey, VP of Engineering at Google, explained.

But, she made sure to note, that in both cases the un-hashed passwords were stored in Google’s encrypted internal systems and that they “have seen no evidence of improper access to or misuse of the affected passwords.”

Email from #GSuite stating, that GSuite admin password was saved plaintext, at keast for some accounts. If you have registered GSuite account between Jan 13 – May 9 2019, it’s a good time to re-check all security settings. pic.twitter.com/WhR49yYSzb

— Ruben Muradyan (@RubenMuradyan) May 22, 2019

The situation is reminiscent of Facebook’s recent revelation that the company has been storing plain text password of hundreds of millions of Facebook users and that those were accessible to more than 20,000 Facebook employees for years.

While the security risk accompanying Google’s issues was not huge – attackers would have had to breach Google’s infrastructure AND find the decryption keys for the stored passwords – Frey has apologized and promised the company will do better in the future.