For the past 14 years, Google has stored the passwords of customers of its G Suite enterprise products in plaintext on its internal network. The company discovered the problem recently and has notified affected customers and said that there’s no evidence that there was improper access to the passwords.
G Suite is Google’s enterprise productivity offering, and includes Gmail, Drive, and many other apps. The offering is managed by an internal administrator at each customer.
The situation is a result of a mistake the company’s engineers made in 2005 when they were setting up a function for password recovery for enterprise administrators. The system was designed to allow administrators to set up and recover users’ passwords, which in normal circumstances are hashed before they’re stored. But during the implementation of the feature, Google’s engineers mistakenly allowed G Suite users’ passwords to be written to disk in unhashed form. That means that anyone inside Google with access to those servers would have been able to read those passwords.
However, the servers that stored the passwords were not exposed to the Internet, the company said.
“In our enterprise product, G Suite, we had previously provided domain administrators with tools to set and recover passwords because that was a common feature request. The tool (located in the admin console) allowed administrators to upload or manually set user passwords for their company’s users. The intent was to help them with onboarding new users; e.g., a new employee could receive their account information on their first day of work, and for account recovery. The functionality to recover passwords this way no longer exists,” Suzanne Frey, vice president of engineering for cloud trust at Google, said.
“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”
The incident, while embarrassing for Google, likely does not represent much of a current threat to G Suite customers. The plaintext passwords stayed inside Google’s network and weren’t viewable externally, so the main concern would be access by a trusted insider. That’s not a minor concern by any means, but Google has notified all of the affected G Suite customers and required password resets for them. For any customers who haven’t made that change on their own, Google will reset the passwords on its own. Also, Google’s systems don’t rely only on a password for authentication in many cases, especially for G Suite accounts.
“Our authentication systems operate with many layers of defense beyond the password, and we deploy numerous automatic systems that block malicious sign-in attempts even when the attacker knows the password. In addition, we provide G Suite administrators with numerous 2-step verification (2SV) options, including Security Keys, which Google relies upon for its own employee accounts,” Frey said.