Google stored user passwords in plaintext for 14 years

22 May 2019

Google on iPad. Image: Mactrunk/Depositphotos

A portion of Google G Suite business users will need to change their passwords and possibly up their security amid news that passwords were accidentally stored in plaintext.

Google has revealed that a number of G Suite user passwords were accidentally stored in plaintext for 14 years due to a bug in how password encryption was implemented.

In a blogpost published on Tuesday (21 May), the company’s VP of engineering and cloud trust, Suzanne Frey, explained that the company uses cryptographic hashes to mask stored passwords. The hash function scrambles the passwords beyond recognition and then stores them in that form, which Google claims is useless to cybercriminals as it is impossible to unscramble.

“However, we recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” Frey said.

Frey went on to say that the affected users were notified to change their passwords and are encouraged to take up the two-step verification options the company provides.

The bug affected business users only, meaning no free consumer Google accounts were affected. The company said it has yet to find any evidence that the plaintext passwords were improperly accessed. It maintains that passwords, plaintext or not, were still stored on Google’s secure encrypted infrastructure.

With this latest news, Google now joins the ever-lengthening list of major tech firms disclosing security vulnerabilities of this kind. In May 2018, Twitter CTO Parag Agrawal disclosed that, due to a bug, the social media firm had stored “unmasked” passwords in an internal log. Similar to Google, the company maintained that the issue was swiftly rectified and that it found no evidence that passwords were misused.

Facebook was left similarly red-faced when it sheepishly admitted that not only were passwords stored in plaintext but the scale of the issue was far greater than previously implied. As well as having left the data of “hundreds of millions” of Facebook Lite users potentially vulnerable to attack, millions of users of its subsidiary Instagram had their passwords stored in a readable format.

Google on iPad. Image: Mactrunk/Depositphotos

Eva Short was a journalist at Silicon Republic