santiago silver - stock.adobe.co
Google warned enterprise users that it had stored G Suite passwords in readable formats in two separate incidents.
G Suite is Google's enterprise competitor to Microsoft Office 365, offering paid plans to business users for Google's cloud apps. According to Google, the first issue -- dating back to 2005 -- was caused by an error in implementing functionality to allow domain administrators to manually set passwords for employees.
"The admin console stored a copy of the unhashed password. This practice did not live up to our standards," Suzanne Frey, vice president of engineering for Google's Cloud Trust team, wrote in a blog post. "To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords."
Google told SearchSecurity that access to the unhashed G Suite passwords was restricted to authorized users and affected only a small percentage of enterprise users.
Additionally, there was a second incident involving G Suite passwords stored in a readable format beginning in January 2019. In the warning message sent to affected users, Google wrote that between Jan. 13 and May 9, G Suite passwords were "inadvertently stored" by an "an internal system that logged account signup information for diagnostic purposes," but noted that this information was deleted after 14 days according to Google's data retention policies.
Frey noted in her blog post that the G Suite passwords for all affected accounts have been reset.
Google is the latest company to admit to storing user passwords in a readable format. Last year, a Twitter bug led to the passwords of all 336 million users being stored in plaintext in an internal log. And earlier this year, Facebook disclosed that hundreds of millions of user passwords from both Facebook and Instagram were stored in plaintext on an internal server.
While Google disclosed the incidents, the technical details are unclear. Dave Kennedy, founder and senior principal security consultant at security consultancy TrustedSec, said it was hard to tell what led to the incidents because Google's disclosure was too vague.
"My guess would be that the application had the ability to either encrypt/decrypt to see clear-text passwords, or it was actually stored in clear-text but on a disk volume that was encrypted at rest, which doesn't help in the situation of an employee or attacker had access to the running state of the application or system that was leveraging this," Kennedy wrote via Twitter direct message. "Super vague, though."