Earlier today, on Tuesday, May 21, 2019, Google announced in a blog post to its official Google Cloud website, that it has stored some of its users’ passwords in plain text since as early as 2005. Google attributed its unsecured storage of passwords in plain text due to a bug.
The company shared that only G Suite users were affected, stating that only “a small percentage” of its G Suite users’ passwords were wrongfully stored. Google went on to say that, fortunately, the company is not aware of any instances of people, malware, or entities taking advantage of the bug to steal its users’ passwords.
All of the users’ passwords that were affected by the self-reported bug are being changed. Users will be contacted via email, through which they will be required to change their password in order to use their G Suite accounts.
Google also stated that it is currently in the process of getting the word out to all its G Suite administrators so they can make necessary adjustments.
G Suite, if you didn’t already know, is the business-use version of Google’s apps, which include Gmail. Administrators were, once upon a time, able to manually set and change its G Suite users’ passwords. If administrators did, in fact, take advantage of this opportunity, passwords would be stored in plain text.
Passwords are supposed to be stored via a cryptographic tool known as hashing. All of its users’ passwords are currently stored through the hashing process, just like most other tech companies’ products’ users’ passwords.
The aforementioned Google blog post explained to readers how hashing works as a means of informing their users about the function, which is the industry standard when it comes to storing passwords.
Google has historically been one of the best tech companies when it comes to storing its users’ passwords and other personal information securely. Facebook, Yahoo, and Twitter have all been guilty on multiple occasions of improperly storing their users’ personal information and passwords.
Unfortunately, Google did not state what number of users could have been affected by the 14-year-old bug, only stating that “a subset of our enterprise G Suite customers” were affected. The company further did not indicate who could have had access to the plain-text passwords.
Most such bugs don’t exist for as long as Google’s has, which makes it remarkable that nobody has stolen any of the passwords.