813-999-0631 info@tetratos.com
Google says it stored some G Suite passwords in unhashed form for 14 years

May 21, 2019

Google today revealed that a bug in an old G Suite tool has resulted in the company storing customer passwords in an unhashed — but encrypted — form for nearly 14 years, between 2005 and 2019.

The company said that only G Suite enterprise customers were impacted, but not regular Gmail accounts.

Most G Suite customers are companies that signed-up for enterprise versions of Gmail, Google Docs, Google Sites, Google Drive, and Google’s various other services.

BUG IN OLD G SUITE TOOL

 

Google said the bug at the heart of this security breach was an old tool it developed back in the 2000s.

“The tool (located in the admin console) allowed administrators to upload or manually set user passwords for their company’s users,” the company said today.

“The intent was to help [G Suite admins] with onboarding new users; e.g., a new employee could receive their account information on their first day of work, and for account recovery.”

Google said it made an error when it implemented this tool’s password-setting functionality back in 2005.

Passwords set through this tool were stored on disk without passing through Google’s standard password-hashing algorithm.

The passwords were eventually encrypted when stored on disk, Google added, meaning that Google employees or intruders couldn’t see or read the passwords in clear text.

The company said it discovered the bug this year, deprecated the tool, and corrected the issue.

“To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords,” Google said.

A SECOND CASE OF STORING PASSWORDS IN UNHASHED FORM

But Google also disclosed a second incident during which the G Suite platform had stored passwords without passing them through its regular password-hashing algorithm.

This second incident came to light when the staff was “troubleshooting new G Suite customer sign-up flows.”

Google said that starting with January 2019, G Suite had stored passwords set during the sign-up procedure in an unhashed form. Just like during the first incident, the passwords were eventually encrypted when saved to disk.

This second batch of unhashed passwords was only stored on disk for 14 days, minimizing the bug’s impact, and Google said it also didn’t see any signs of abuse or improper access for passwords associated with this second bug.

G SUITE ADMINS HAVE BEEN NOTIFIED

 

The company said today it already notified G Suite administrators and told them to reset user passwords that had been set through the old G Suite tool.

Under normal circumstances, this bug shouldn’t be a huge security risk for affected customers, as an attacker would have had to breach Google’s infrastructure first, locate the encrypted passwords in its immense data centers, and then retrieve the proper decryption key to decrypt the passwords before using any of them.

Google’s G Suite blunder is surely not on the same level as a recent Facebook snafu. Back in March, Facebook admitted to storing the passwords of hundreds of millions of Facebook accounts and millions of Instagram accounts in plaintext.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

Get weekly tech updates and immediate alerts when there is a zero-day or security issue!

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Pin It on Pinterest

Share This