Google has revealed that a bug saved passwords of its G Suite customers in plain text in a major security lapse. The company discovered two incidents of passwords being saved unhashed, though in its encrypted internal servers. However, it did not reveal the number of users that have been impacted. It is to be noted that the bug affected Google’s enterprise G Suite customers and those having free consumer Google accounts need not worry.
The second incident is most recent, which was discovered in January 2019 when Google was troubleshooting new G Suite customer sign-up flows. A subset of unhashed passwords were saved in its encrypted system for 14 days before the issue was fixed.
Google has said that the problem has been fixed and there was no evidence of misuse of the affected passwords. The company insists that the passwords remained in its secure encrypted infrastructure and were never improperly accessed.
The first incident of the bug storing unhashed passwords occurred in 2005, which Google says was an error when implementing a tool that allowed administrators to manually set user passwords for their company’s users. The issue was discovered only earlier this year, which means this set of unhashed passwords were stored in Google’s systems for close to 14 years.
“We recently notified G Suite administrators to change those impacted passwords. Out of an abundance of caution, we will reset accounts that have not done so themselves,” Google said in a blog post. As we mentioned earlier, only Google’s G Suite customers have been affected and the issue does not concern users with free Google accounts.