Google incorrectly stored plaintext passwords

plaintext password

Google has admitted that some of its enterprise customers’ passwords have been incorrectly stored in plaintext, in a security issue dating back 14 years.

It’s been disclosed a bug has caused a portion of G Suite users to have their passwords stored in plain text.  The bug has been around since 2005, but there is no evidence that anybody’s password was improperly accessed. They’re resetting any passwords that might be affected and letting G Suite administrators know about the issue.

It’s unclear exactly how many users have been affected, Google would only say that it relates to a “subset of G Suite” customers. G Suite is the corporate version of Gmail and Google’s other apps, the bug came about in this product because of a feature designed specifically for companies.  The issue has been fixed and there is no evidence of improper access to or misuse of the affected passwords.  No consumer Google accounts were impacted.

The company typically stores passwords on its servers in a cryptographically scrambled state known as a hash. But a bug in G Suite’s password recovery feature for administrators caused unprotected passwords to be stored in the infrastructure of an admin control panel.  Google has confirmed even though the passwords were stored in plain text, they were at least stored in plain text inside Google’s servers.  This therefore would have been harder to get to, than if they were just out on the open internet.

Although Google didn’t say so explicitly, it seems they want to ensure people don’t associate this issue with other plain text password problems.

Facebook, Twitter and GitHub have all admitted storing user passwords in plaintext over the past year or so. In Facebook’s case, hundreds of millions of users are thought to have been affected.


For IT expertise and support please contact Lineal Software Solutions Ltd.