Google apologises for storing some G Suite passwords in readable form since 2005
In a blog post, Google apologised for a bug that caused a portion of G Suite passwords to be stored in plain text. Google also notified the impacted companies to change their passwords.
In a blog post on Wednesday, Google said that passwords of a portion of enterprise G Suite customers were stored in plain text since 2005 and the administrators of impacted passwords were recently notified to change.
According to Google’s policy, passwords are to be stored in cryptographic hash that mask those passwords to ensure their security. When the passwords are stored unhashed in the system, it can be read in plain text and poses risk of the impacted company being hacked.
The company claimed it has been conducting thorough investigation and did not find any evidence of improper access to or misuse of the affected G Suite credentials.
It also confirmed no free consumer Google accounts were affected and the security issue concerns only the enterprises using G Suite, a cloud computing brand of Google which comprises of Gmail, Hangouts and Google+ for communication. It gives added features like custom email addresses for companies and option for unlimited cloud storage, depending on the plan.
In an official statement, it explained how password of consumers and G Suite Enterprise Customer are stored. The company said,
“If you have a Google account, Google’s core sign-in system is designed not to know your password. When you set your password, instead of remembering the exact characters of the password, we scramble it with a ‘hash function’, so it becomes something like '72i32hedgqw23328', and that’s what we store with your username. Both are then also encrypted before being saved to disk.”
In a statement issued in February, the company claimed there are more than five million businesses using G Suite. The companies range from financial services to healthcare and small businesses to bigger companies.
Similar instances of security lapses were reported with Facebook earlier in March and Twitter last year where passwords were stored unmasked.