Google stored some passwords in plain text for fourteen years

In a blog post today, Google revealed that it recently discovered an error that caused part of the G Suite users to have their passwords stored in plain text. The error has existed since 2005, although Google says it can not find any evidence that anyone's password was improperly accessed. You are resetting passwords that may be affected and alerting G Suite administrators about the problem.

G Suite is the corporate version of Gmail and other Google applications, and apparently the error occurred in this product due to a feature designed specifically for companies. From the beginning, your company administrator was able to manually configure user passwords for G Suite applications, for example, before a new employee was added, and if they did, the administrative console would store those passwords in text unformatted instead of including them. Since then, Google has eliminated that ability from administrators.

Google's publication goes to great lengths to explain how cryptographic hashing works, probably in an effort to ensure that the nuances surrounding this error are clear. Although the passwords were stored in plain text, at least they were stored in plain text inside the Google servers, so it would be harder to find them than if they were only available on the Internet. Although Google did not say it explicitly, it seems that it also wants to make sure that people do not group this error in the same category as other plain text password problems where those passwords have been filtered.

And, oh, there have been so many of them, like Wired notes. Twitter recommended the 330 million users to change passwords in March due to a violation. Facebook stored "hundreds of millions" of passwords in plain text so that up to 20,000 of its employees could have accessed them. Instagram had to admit that Facebook's violation had affected millions of Instagram users (not the smaller number previously disclosed).

For its part, Google did not characterize the number of users that could have been affected by this error, beyond saying that it affected "a subset of our G Suite business customers", presumably anyone who was using G Suite in 2005. And although Google could not find evidence that someone had used this access in a malicious way, it is not entirely clear who would have had access to these plain text files either.

In any case, it is already fixed and Google regrets it adequately in its publication about the whole problem:

We take the security of our business clients very seriously and take pride in promoting the best industry practices for the security of the accounts. Here we do not comply with our own standards, nor with those of our clients. We apologize to our users and we will do better.

Please Note: This content is provided and hosted by a 3rd party server. Sometimes these servers may include advertisements. igetintopc.com does not host or upload this material and is not responsible for the content.