Google Admits To Storing Unhashed Passwords

Google has admitted that it has stored some unhashed G Suite enterprise accounts passwords on its systems for approximately fourteen years.

The seriousness of the privacy gaffe was lessened after Google confirmed it didn’t affect consumers, and that “some passwords were stored in our encrypted internal systems unhashed.”

The admission bears a remarkable similarity to Facebook, which admitted in March that it had stored “hundreds of millions” of passwords in plaintext, unprotected by any form of encryption whatsoever.

Fourteen years

The ‘good news’ for Facebook was that the unprotected passwords were stored on Facebook’s internal servers that could only be accessed by 20,000 staff members.

And it seems to be a similar story for Google after Suzanne Frey, VP of Engineering, Cloud Trust at the search engine giant admitted in a blog post that it had just discovered a long running password mistake associated with some of its G Suite Enterprise accounts (the business suite of Google services).

“Google’s policy is to store your passwords with cryptographic hashes that mask those passwords to ensure their security,” blogged Frey. “However, we recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed.”

“This is a G Suite issue that affects business users only – no free consumer Google accounts were affected – and we are working with enterprise administrators to ensure that their users reset their passwords,” said Frey. “We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials.”

Frey explained how Google had allowed domain administrators in its enterprise product (G Suite) to upload or manually set user passwords for their company’s users t help with account recovery and setting up new users.

“We made an error when implementing this functionality back in 2005,” Frey admitted. “The admin console stored a copy of the unhashed password. This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”

Unhashed passwords

Frey said that had notified G Suite administrators to change those impacted passwords.

“Out of an abundance of caution, we will reset accounts that have not done so themselves,” she added.

Google is not the only guilty part over the years.

In May 2018 for example, Twitter urged all users to change their passwords after a “bug” meant that people’s passwords had been stored “unmasked in an internal log.”

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago