This issue is linked with G Suite users only while free consumer Google accounts remained unharmed.
A couple of days ago it was reported that Google has been using Gmail to secretly store its users’ purchase history for years. Now, the company has revealed that its team recently discovered a bug due to which some of its enterprise G Suite customers got their passwords stored in plaintext or unhashed but encrypted format for approx. 14 years.
Google explained in its official blog post published Tuesday that this issue is linked with G Suite users only while free consumer Google accounts remained unharmed. According to Google’s Suzanne Frey:
“We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed. We are working with enterprise administrators to ensure that their users reset their passwords.”
This is definitely nothing short of a security lapse from Google and for such a long time the company remained unaware that such sensitive data was stored in the unhashed form. In fact, even now Google cannot accurately specify the number of customers affected by this bug. However, Google has affirmed that there is no evidence of unauthorized access so far.
It is worth noting that tech companies like Google use a hashing algorithm for passwords that scramble them so that humans aren’t able to read them. G Suite admins can manually upload, edit, and recover new user passwords specifically for enterprise users to help them add passwords of new employees.
In April, Google discovered that the way G Suite admins were implementing password setting/recover for enterprise users back in 2005 was flawed and that’s why a copy of each password got stored in plaintext format. This feature was later discontinued by Google.
Frey confirmed that the passwords were stored in encrypted form in the database and that the issue is now fixed.
“To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”
G Suite offers Google’s corporate version of apps like Hangouts, Drive, Docs, and Gmail, and it is developed solely for enterprise customers. Reportedly, around 5 million enterprise customers of Google use G Suite.
Earlier in May, another security flaw was identified by Google while troubleshooting the new customer sign-up feature of G Suite. The problem was that since January 2019, the new G Suite stored a subset of passwords in an unhashed form on its internal systems but the maximum duration of storing the subsets was no more than two weeks.
Google further claims that only a limited number of Google’s personnel were authorized to access these internal systems. This issue has been fixed as well now. Google has also notified G Suite admins to reset all those account passwords that are not changed yet. Moreover, Google has also notified data protection regulators about the security lapse.
This, however, is not the first time when a “bug” has caused issues for Google. In fact, in October last year, Google admitted that a bug was present in the API for the consumer version of Google Plus (Google+) that allowed third-party developers’ access data of not just its users but also of their contacts and friends.
In December last year again, Google announced that during routine testing its security team discovered the presence of another bug in Google+ API affecting approximately 52.5 million (both consumer users and enterprise customers). It is worth mentioning that Both bugs played a vital role in the demise of Google Plus.
When it comes to storing users’ password insecurely Google is not the only tech giant. In March this year, Facebook stored 600 million user passwords in plain text. The worse part is that these passwords were exposed to 20,000 Facebook employees.
Furthermore, last month, Facebook was also caught storing millions of Instagram passwords in a readable format and asked users for their email’s passwords for “verification.” According to Pedro Canahuati, VP Engineering, Security and Privacy at Facebook, there was no evidence that these passwords were “internally abused or improperly accessed.”