The news is disconcerting, Google has accidentally stored the passwords of the G Suite users in plain-text for 14 years, this means that every employee in the company was able to access them.
According to the tech giant, the incident was caused by a bug in the password recovery mechanism and only business users were affected.
“However, we recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed.” reads a blog post published by the company. “This is a G Suite issue that affects business users only–no free consumer Google accounts were affected–and we are working with enterprise administrators to ensure that their users reset their passwords. “
The G Suite (aka Google Apps) includes cloud computing, productivity and collaboration tools, it is widely adopted by business users, Google already addressed the bug by removing the capability from G Suite administrators.
The bug resides in the password recovery mechanism for G Suite customers that allows enterprise administrators to upload or manually set passwords for any user of their domain without the knowledge of their previous passwords. The procedure could be used to set the password for newcomers employees and for account recovery.
Google admitted that if the admins reset the password, the admin console would store the passwords in plain text on google servers.
Google investigated the problem and confirmed that it has no evidence of improper access to or misuse of the affected G Suite credentials.
“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the
Google attempted to reassure users explaining that even if the passwords were stored in plain text passwords they were stored on internal secure encrypted servers that were not accessible for the open Internet.
At the time Google did not reveal how many users might have been impacted, but we have to consider that currently, G Suite has 5 million enterprise customers potentially at risk.
The company notified the incident to the impacted business users via and asked them to reset their passwords, it also announced that will automatically reset passwords for users who do not change their passwords.
In 2018, Twitter asked more than 330 million users to change their passwords after a bug exposed them in plain text on internal systems.