Google has admitted that some of its enterprise customers’ passwords have been erroneously stored in plaintext, in a security issue dating back 14 years.
The tech giant’s VP of engineering, Suzanne Frey, explained that the problem occurred when it introduced a new way for G Suite domain administrators to upload and manually set new passwords for their employees, to help with onboarding and account recovery.
“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards,” she added.
“To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”
It’s unclear exactly how many users have been affected by this security snafu: Google would only say that it relates to a “subset of G Suite” customers. No consumer Google accounts were impacted.
Frey’s team also spotted a separate but similar security issue, dating back to the start of this year.
“As we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure,” she explained.
“These passwords were stored for a maximum of 14 days. This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords. We will continue with our security audits to ensure this is an isolated incident.”
All G Suite admins impacted by these issues have been notified, and Google said it will reset passwords on any affected account where action is not taken.
Facebook, Twitter and GitHub have all admitted storing user passwords in plaintext over the past year or so. In Facebook's case, hundreds of millions of users are thought to have been affected.