It happened again: Google announced today that it is the latest technological giant that accidentally saved user passwords in plain text. G Suite users, please be aware.
Google says the bug has affected "a small percentage of G Suite users," meaning it doesn't affect individual consumer accounts, but affects some business and business accounts that have their own risks and sensitivities. The company typically stores passwords on its servers in a cryptographically encrypted state known as a hash. However, an error in the G Suite & # 39; password recovery function for administrators caused unprotected passwords to be stored in the infrastructure of a control panel, called the admin console. Google has disabled the features that contained the error.
Prior to that, the passwords would have been available to authorized Google staff or malicious interlopers. Each organization's administrator could also access the plaintext passwords of the account holders in their group.
"The fact that this was around since 2005 and was not caught is disturbing."
David Kennedy, TrustedSec
Twitter and Facebook have over the last 1
However, Google's error has existed since 2005-a year before "Google For Work" even became an official offer. And while the company emphasizes that it has no evidence that the plaintext passwords were ever accessed or misused, it is 14 years for sensitive data to hang unnoticed.
"Our authentication systems operate with many layers of defense beyond the password, and we implement many automated systems that block malicious enrollment attempts, even though the attacker knows the password," says Google Vice President of Engineering Suzanne Frey in a blog post. "In addition, we provide G Suite – Administrators allow for many two-step verification (2SV) options. … We take security of our corporate customers extremely seriously and trust in promoting the industry's best account security practices. Here we have done We do not live up to our own standards. "
Google is informing G Suite administrators and says it will automatically reset the affected passwords that haven't already changed. The company discovered the error in April and an extra plaintext password error in May during its The latter, unfortunately, stored plaintext passwords for new G Suite customers when they completed their registration, this error only came into effect in January 2019, and these inappropriate passwords were only stored for a maximum of 14 days, Google says it has resolved both the primary admin console-plaintext error and the latest sign-up problem.
"Google typically has a decent track record to catch errors quickly and fix them, so the fact that this was around since 2005 and was not caught is worrying, "says David Kennedy, CEO of the company penetration test firm TrustedSec." We've seen this with Twitter, Facebook and several other organizations where legacy p Rocces or applications provide clear text entry codes to be exposed internally. And even if it's only internal, it still creates significant privacy and security. "
Since all affected passwords that haven't already changed, Google will automatically reset you, you should focus on adding two-factor authentication to your G Suite account, if you don't already have it – and maybe cross your fingers that these passwords went unnoticed for 14 years.
More Great WIRED Stories