Technology giant Google has published a blog today in which says that it recently discovered a bug that caused passwords of some G Suite users to be stored in plain text. The company also admitted that the bug has been there since 2005, however, there is no evidence of anyone’s password being accessed improperly. In order to take corrective measures, Google is resetting any passwords that might have been affected and is also letting G Suite administrators know about the problem.
For those unaware, G Suite is the business version of Gmail and other apps by Google. The bug is said to have come in this product because of a feature designed especially for companies. Previously, it was possible for the company administrator for G Suite apps to set user passwords manually. This was usually used when a new employee came on board. However, if the company administrators did set the password manually, the admin console saved them in plain text and did not has them. Google has now removed this capability from administrators.
Google has spoken in detail about the entire issue in its blog post. It says that even though the passwords were saved in plain text, they were stored inside Google’s servers. According to the company, they will be harder to get than they were had they been on the open internet. While Google has put this in a way that is less explicit, the company seems to be making sure that people don’t put this incident in the same category as other plain text password problems where passwords have been leaked.
to recall, microblogging website Twitter advised all its users to change passwords in March this year because of a breach. Facebook admitted that it had stored “hundreds of millions” of passwords in plain text in a way where up to 20,000 of its employees could access them. The Facebook breach affected millions of users on Instagram too.
While Google has not characterized how many users have been affected by this bug, we can assume that anyone who was using G Suite in 2005 is affected. Speaking about the issue, Google said, “We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security. Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better.”