Google Stored Unhashed Passwords Of G Suite Business Customers For 14 Years

  •  
  •  
  •  
  • 8
  •  
  •  
  •  
    8
    Shares

It hasn’t been since we heard of stories such as:  Facebook storing users’ passwords in plain text. It seems a similar glitch happened at Google as well. As disclosed by the officials, Google stored unhashed passwords of G Suite users (but not in plain text) for more than a decade.

Google Stored Unhashed Passwords For Over A Decade

According to a recent blog post, Google stored unhashed passwords of some G Suite users for a number of years. Specifically, it all happened due to a bug that existed for around 14 years.

As elaborated by Suzanne Frey, Vice President Engineering, Cloud Trust at Google, a glitch occurred in the password reset tool for some customers back in 2005. Explaining about the incident, Frey wrote,

We had previously provided domain administrators with tools to set and recover passwords because that was a common feature request. The tool (located in the admin console) allowed administrators to upload or manually set user passwords for their company’s users.

As per regular procedure, Google stores hashed passwords of users in encrypted form.

When you set your password, instead of remembering the exact characters of the password, we scramble it with a “hash function”, … and that’s what we store with your username. Both are then also encrypted before being saved to disk.

However, due to the bug, the system continued storing passwords in unhashed form. Nonetheless, the passwords remained veiled due to encryption.

Besides, the flaw affected the G Suite business users only. The other free users remained unaffected.

Another Similar Incident Led To Storage For Few Days

Alongside this glitch that existed for 14 years, Google has also disclosed another flaw leading to similar results.

In addition, … we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days.

Google confirmed that they have fixed both the bugs. Besides, they also assure no misuse or improper access to the stored passwords. Nonetheless, they pledge to continue with the investigations and audit to ensure the existence of no other bugs.

Moreover, they have also notified the affected G Suite customers and will reset passwords of all those who haven’t done it yet.

Let us know your views in the comments.

The following two tabs change content below.
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!