One would think that the biggest company in the world would take security seriously, reviewing its processes and checking its systems to insure security.
I mean, Google wouldn’t be so near-sighted to store passwords in plain text would it?
Unfortunately, that’s exactly what Google has confessed to in a blog post published this week.
“Google’s policy is to store your passwords with cryptographic hashes that mask those passwords to ensure their security. However, we recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” wrote vice president of engineering and cloud trust at Google, Suzanne Frey.
“This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords,” added Frey.
As it turns out, Google failed to implement its password hashing functionality back in 2005 and since then a copy of a G Suite user’s unhashed passwords were stored in Google’s system. That’s 14 years that Google failed to notice its systems weren’t complying with its own standards.
The issue seemingly only affects G Suite users and not folks just making use of free Google services such as Gmail or YouTube.
To make matters worse, back in January of this year Google discovered yet another mistake in its systems.
“In addition, as we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days. This issue has been fixed and, again, we have seen no evidence of improper access,” said the Google VP.
The search giant doesn’t detail how many users were affected by this failure to implement its policy.
To its credit Google has apologised to its customers.
“We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security. Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better,” concluded Frey.
And do better you should Google, the fact that this went unnoticed for 14 years is terribly concerning and we hope that all of your systems are being looked at now.[Source – Google]