Google today revealed that a bug in an old G Suite tool has resulted in the company storing customer passwords in an unhashed — but encrypted — form for nearly 14 years, between 2005 and 2019.
The company said that only G Suite enterprise customers were impacted, but not regular Gmail accounts.
Most G Suite customers are companies that signed-up for enterprise versions of Gmail, Google Docs, Google Sites, Google Drive, and Google’s various other services.
BUG IN OLD G SUITE TOOL
Google said the bug at the heart of this security breach was an old tool it developed back in the 2000s.
“The tool (located in the admin console) allowed administrators to upload or manually set user passwords for their company’s users,” the company said today.
“The intent was to help [G Suite admins] with onboarding new users; e.g., a new employee could receive their account information on their first day of work, and for account recovery.”
Google said it made an error when it implemented this tool’s password-setting functionality back in 2005.
Passwords set through this tool were stored on disk without passing through Google’s standard password-hashing algorithm.
The passwords were eventually encrypted when stored on disk, Google added, meaning that Google employees or intruders couldn’t see or read the passwords in clear text.
The company said it discovered the bug this year, deprecated the tool, and corrected the issue.
“To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords,” Google said.
A SECOND CASE OF STORING PASSWORDS IN UNHASHED FORM
But Google also disclosed a second incident during which the G Suite platform had stored passwords without passing them through its regular password-hashing algorithm.
This second incident came to light when the staff was “troubleshooting new G Suite customer sign-up flows.”
Google said that starting with January 2019, G Suite had stored passwords set during the sign-up procedure in an unhashed form. Just like during the first incident, the passwords were eventually encrypted when saved to disk.
This second batch of unhashed passwords was only stored on disk for 14 days, minimizing the bug’s impact, and Google said it also didn’t see any signs of abuse or improper access for passwords associated with this second bug.
G SUITE ADMINS HAVE BEEN NOTIFIED
The company said today it already notified G Suite administrators and told them to reset user passwords that had been set through the old G Suite tool.
Under normal circumstances, this bug shouldn’t be a huge security risk for affected customers, as an attacker would have had to breach Google’s infrastructure first, locate the encrypted passwords in its immense data centers, and then retrieve the proper decryption key to decrypt the passwords before using any of them.
Google’s G Suite blunder is surely not on the same level as a recent Facebook snafu. Back in March, Facebook admitted to storing the passwords of hundreds of millions of Facebook accounts and millions of Instagram accounts in plaintext.
Code Execution Vulnerability Identified in Change Healthcare Cardiology DevicesA vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated...
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most Targeted
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most TargetedThe digital and network footprint of small businesses is continually growing. Online commerce, social media, remote workers, and cloud-based IT infrastructure are...
What Other Companies Can Learn from Facebook’s $5 Billion Fine and Why Privacy MattersWhile Facebook’s $5 billion settlement stands as the largest fine in the history of the Federal Trade Commission (FTC), one must take into consideration that not every company is...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!