Google today revealed that a bug in an old G Suite tool has resulted in the company storing customer passwords in an unhashed — but encrypted — form for nearly 14 years, between 2005 and 2019.
The company said that only G Suite enterprise customers were impacted, but not regular Gmail accounts.
Most G Suite customers are companies that signed-up for enterprise versions of Gmail, Google Docs, Google Sites, Google Drive, and Google’s various other services.
Bug in old G Suite tool
Google said the bug at the heart of this security breach was an old tool it developed back in the 2000s.
“The tool (located in the admin console) allowed administrators to upload or manually set user passwords for their company’s users,” the company said today.
“The intent was to help [G Suite admins] with onboarding new users; e.g., a new employee could receive their account information on their first day of work, and for account recovery.”
Google said it made an error when it implemented this tool’s password-setting functionality back in 2005.
Passwords set through this tool were stored on disk without passing through Google’s standard password-hashing algorithm.
The passwords were eventually encrypted when stored on disk, Google added, meaning that Google employees or intruders couldn’t see or read the passwords in clear text.
The company said it discovered the bug this year, deprecated the tool, and corrected the issue.
“To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords,” Google said.
Second case of storing passwords in unhashed form
But Google also disclosed a second incident during which the G Suite platform had stored passwords without passing them through its regular password-hashing algorithm.
This second incident came to light when staff was “troubleshooting new G Suite customer sign-up flows.”
Google said that starting with January 2019, G Suite had stored passwords set during the sign-up procedure in an unhashed form. Just like during the first incident, the passwords were eventually encrypted when saved to disk.
This second batch of unhashed passwords was only stored on disk for 14 days, minimizing the bug’s impact, and Google said it also didn’t see any signs of abuse or improper access for passwords associated with this second bug.
G Suite admins have been notified
The company said today it already notified G Suite administrators and told them to reset user passwords that had been set through the old G Suite tool.
“Out of an abundance of caution, we will reset accounts that have not done so themselves,” Google also added. A copy of these emails can be seen below:
Under normal circumstances, this bug shouldn’t be a huge security risk for affected customers, as an attacker would have had to breach Google’s infrastructure first, locate the encrypted passwords in its immense data centers, and then retrieve the proper decryption key to decrypt the passwords before using any of them.
Google’s G Suite blunder is surely not on the same level as a recent Facebook snafu. Back in March, Facebook admitted to storing the passwords of hundreds of millions of Facebook accounts and millions of Instagram accounts in plaintext.