Home Hacking News Google Stored Unhashed Passwords Of G Suite Business Customers For 14 Years

Google Stored Unhashed Passwords Of G Suite Business Customers For 14 Years

by Abeerah Hashim
Google increases bug bounty rewards with fivefold

It hasn’t been since we heard of stories such as:  Facebook storing users’ passwords in plain text. It seems a similar glitch happened at Google as well. As disclosed by the officials, Google stored unhashed passwords of G Suite users (but not in plain text) for more than a decade.

Google Stored Unhashed Passwords For Over A Decade

According to a recent blog post, Google stored unhashed passwords of some G Suite users for a number of years. Specifically, it all happened due to a bug that existed for around 14 years.

As elaborated by Suzanne Frey, Vice President Engineering, Cloud Trust at Google, a glitch occurred in the password reset tool for some customers back in 2005. Explaining about the incident, Frey wrote,

We had previously provided domain administrators with tools to set and recover passwords because that was a common feature request. The tool (located in the admin console) allowed administrators to upload or manually set user passwords for their company’s users.

As per regular procedure, Google stores hashed passwords of users in encrypted form.

When you set your password, instead of remembering the exact characters of the password, we scramble it with a “hash function”, … and that’s what we store with your username. Both are then also encrypted before being saved to disk.

However, due to the bug, the system continued storing passwords in unhashed form. Nonetheless, the passwords remained veiled due to encryption.

Besides, the flaw affected the G Suite business users only. The other free users remained unaffected.

Another Similar Incident Led To Storage For Few Days

Alongside this glitch that existed for 14 years, Google has also disclosed another flaw leading to similar results.

In addition, … we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days.

Google confirmed that they have fixed both the bugs. Besides, they also assure no misuse or improper access to the stored passwords. Nonetheless, they pledge to continue with the investigations and audit to ensure the existence of no other bugs.

Moreover, they have also notified the affected G Suite customers and will reset passwords of all those who haven’t done it yet.

Let us know your views in the comments.

You may also like