Google recently discovered a bug which led to the passwords of some G Suite users being stored in plain text on its servers, the company said in a blogpost today. The bug had been around since 2005. Though Google said there was no evidence anyone’s password was improperly accessed or misused, “14 years is a long time for sensitive data to hang around unnoticed”, as Wired put it. Google said the issue was restricted to users of its G Suite apps for businesses and that no free Google accounts were affected. It clarified that the plain text passwords had been stored on its own encrypted servers and not the open Internet, and said it was working with enterprise administrators to ensure that their users reset their passwords.
Bug in password (re)setting feature for administrators: The issue came about because of a feature in G Suite that let administrators upload or manually set user passwords for users, to help them with on-boarding employees and for account recovery. Google said it made an error when implementing this feature back in 2005, which caused the admin console stored a copy of the plaintext password. “The functionality to recover passwords this way no longer exists,” Google said.
How has Google responded? The company said it recently notified G Suite administrators and asked them to change the impacted passwords. “Out of an abundance of caution, we will reset accounts that have not done so themselves,” Google said.
Password blunders: Facebook, Instagram and Twitter
A report in March revealed that the passwords of hundreds of millions of Facebook users and tens of thousands of Instagram users were stored in plain text and searchable by thousands of Facebook employees for years. Facebook said in response that it was probing a series of security failures that allowed employees to build applications that logged unencrypted passwords and stored them in plain text on internal company servers. In April, the company clarified that millions, and not “tens of thousands” of Instagram passwords had been stored this way, per The Verge.
Last May, Twitter told its more than 330 million users to change their passwords after it discovered a glitch that caused some passwords to be stored in plain text on its internal systems. Twitter said the bug caused an issue in the hashing process that masks passwords, and led to passwords being saved in plain text to an internal log.