Google admits to saving G suite passwords in plaintext since 2005, admins advised to reset passwords

By Digit NewsDesk | Updated May 22 2019
Google admits to saving G suite passwords in plaintext since 2005, admins advised to reset passwords

The problem was apparently due to a now-defunct tool that was made available for G Suite admins back in 2005.

Google has apologised and said it is notifying affected users.

Go from OpenAPI-to-GraphQL in 2 minutes

Create GraphQL interfaces in minutes and build mobile or client apps quicker. Leverage free, open source IBM Code Patterns.

Click here to know more

In this day and age of rapid information sharing, it seems like we come across news of a password breach or leak every other day. It was recently revealed how personal and public data of millions of Instagram influencers was being hosted on an unsecured server with open access and Google has now disclosed information about a G Suite issue that affected business customers by saving their account credentials in plaintext. The company says that passwords of a “subset of our enterprise G Suite customer” was stored in plaintext in their internal encrypted systems. Google says that it has been conducting an internal investigation and has not come across evidence that the passwords were misused. 

The problem is said to arise from tools for admins of G suite which enabled them to set and recover passwords. The company says it made a mistake when the feature was being implemented in 2005 as the admin console saved an unhashed or unencrypted copy of passwords. While the tool and its associated functionality of password recovery doesn’t exist anymore, Google discovered that starting January 2019, they had "inadvertently stored a subset of unhashed passwords" in their secure encrypted infrastructure. These credentials were reportedly stored in Google’s system for 14 days. 

Google says that the problem has been fixed and they have notified G Suite admins to change the impacted passwords. It will also reset accounts of users who have not changed their passwords themselves. "We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security. Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better," says Google's VP of engineering Cloud Trust, Suzanne Frey.

This news comes soon after TechCrunch reported that a Mumbai-based social media marketing firm called chatrbox was leaking Instagram users’ data. The firm is said to have an unprotected database that hosted data of millions of Instagram influencers, which consisted of their names, account status, phone numbers and more. The database is said to be offline now but the firm has not responded how it obtained private data of Instagram users. You can read more about this in detail here

Digit NewsDesk

The guy who answered the question 'What are you doing?' with 'Nothing'.

Digit caters to the largest community of tech buyers, users and enthusiasts in India. The all new Digit in continues the legacy of as one of the largest portals in India committed to technology users and buyers. Digit is also one of the most trusted names when it comes to technology reviews and buying advice and is home to the Digit Test Lab, India's most proficient center for testing and reviewing technology products.

We are about leadership-the 9.9 kind! Building a leading media company out of India.And,grooming new leaders for this promising industry.