Google has revealed in a blog post that the passwords of several G-Suite enterprise customers were stored in plain text. Unknown to the foremost internet organization, the password had remained in plain text for 14 years – since 2005. Google explained that the breach was caused by a bug.
While it is not certain that the account of anyone has been accessed maliciously, Google said they are resetting every customer’s password and notifying G-Suite administrators about the situation, The Verge reported.
G-Suite incorporates Google’s apps and corporate email for enterprise customers. The envelop product was designed for companies and paying customers who need enterprise solutions for their businesses. Initially, Google allowed company administrators to manually set the passwords of G-Suite apps.
Back then, the admin consoles of the organizations did not hash the passwords but saved them in plain text. But this is no longer the case because Google has made it impossible for G-Suite company administrators to manually save passwords.
We Made an Error When Implementing This Functionality Back In 2005, Google Confesses
In the confessional post, Google made it clear that cryptographic hashing is involved in how passwords are stored in their server. They explained that the passwords are actually stored in plain text, but inside their secured servers. This way, it becomes nearly impossible for anyone to access them there. Maybe Google administrators and engineers.
“We made an error when implementing this functionality back in 2005,” Google confessed. “The admin console stored a copy of the unhashed password. This practice did not live up to our standards.”
Google seemed to infer that people shouldn’t mix this current password breach with earlier ones caused by other bugs.
Funny enough, this is not the first time big social media organizations have failed their users or disappointed themselves. Facebook reportedly kept users passwords in a plain text manner in which about 20,000 employees could access them if they wanted.
Twitter back in March asked its 330 million users to change their passwords on account of a security breach. Instagram has also inferred that Facebook’s security breach had compromised millions of Instagram users on a number of occasions.
We Did Not Live Up To Our Own Standards, Nor Those of Our Customers, and Apologize To Our Users
With the current case, Google apologized to their users and announced that the password exposure has been fixed.
“We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security,” Google wrote. “Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better.”
Google did not reveal the number of G-Suite enterprise customers affected by this bug, but analysts believe that people and businesses using the app suite since 2005 may be at risk.
While the giant internet corporation did not say how the bug occurred or the number of employees who could have accessed the plain text passwords, they revealed that there is no sign that anyone used the passwords in any malicious manner.