Google today revealed that a bug in an old G Suite tool has resulted in the company storing customer passwords in an unhashed — but encrypted — form for nearly 14 years, between 2005 and 2019.
The company said that only G Suite enterprise customers were impacted, but not regular Gmail accounts.
Most G Suite customers are companies that signed-up for enterprise versions of Gmail, Google Docs, Google Sites, Google Drive, and Google’s various other services.
BUG IN OLD G SUITE TOOL
Google said the bug at the heart of this security breach was an old tool it developed back in the 2000s.
“The tool (located in the admin console) allowed administrators to upload or manually set user passwords for their company’s users,” the company said today.
“The intent was to help [G Suite admins] with onboarding new users; e.g., a new employee could receive their account information on their first day of work, and for account recovery.”
Google said it made an error when it implemented this tool’s password-setting functionality back in 2005.
Passwords set through this tool were stored on disk without passing through Google’s standard password-hashing algorithm.
The passwords were eventually encrypted when stored on disk, Google added, meaning that Google employees or intruders couldn’t see or read the passwords in clear text.
The company said it discovered the bug this year, deprecated the tool, and corrected the issue.
“To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords,” Google said.
A SECOND CASE OF STORING PASSWORDS IN UNHASHED FORM
But Google also disclosed a second incident during which the G Suite platform had stored passwords without passing them through its regular password-hashing algorithm.
This second incident came to light when the staff was “troubleshooting new G Suite customer sign-up flows.”
Google said that starting with January 2019, G Suite had stored passwords set during the sign-up procedure in an unhashed form. Just like during the first incident, the passwords were eventually encrypted when saved to disk.
This second batch of unhashed passwords was only stored on disk for 14 days, minimizing the bug’s impact, and Google said it also didn’t see any signs of abuse or improper access for passwords associated with this second bug.
G SUITE ADMINS HAVE BEEN NOTIFIED
The company said today it already notified G Suite administrators and told them to reset user passwords that had been set through the old G Suite tool.
Under normal circumstances, this bug shouldn’t be a huge security risk for affected customers, as an attacker would have had to breach Google’s infrastructure first, locate the encrypted passwords in its immense data centers, and then retrieve the proper decryption key to decrypt the passwords before using any of them.
Google’s G Suite blunder is surely not on the same level as a recent Facebook snafu. Back in March, Facebook admitted to storing the passwords of hundreds of millions of Facebook accounts and millions of Instagram accounts in plaintext.
Fortune 100 passwords, email archives, and corporate secrets left exposed on unsecured Amazon S3 server
Fortune 100 passwords, email archives, and corporate secrets left exposed on unsecured Amazon S3 serverSome of the world’s biggest companies have had 750GB worth of their innermost secrets revealed on unsecured Amazon S3 buckets, available for anybody to download – no...
New Microsoft Excel Attack SurfacesResearchers have identified a security hole in Microsoft Office’s Excel spreadsheet program that allows an attacker to trigger a malware attack on remote systems. A feature in Microsoft Office’s Excel spreadsheet program called Power...
Malicious URL attacks using HTTPS surge across the enterpriseCyberattacks launched against the enterprise which makes use of the HTTPS protocol are increasing alongside spoofing and cloud-based threats, new research suggests. According to FireEye's Q1 2019 Email...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!