4 min read

Google Stored Business Customers’ Passwords in Plaintext on Its Servers… For 14 Years

Graham Cluley

May 22, 2019

Google Stored Business Customers’ Passwords in Plaintext on Its Servers… For 14 Years

Google has admitted that some of its business customers of G Suite (formerly known as Google Apps) had their passwords stored on the company’s internal servers for 14 years in plaintext.

Although Google says it has seen “no evidence of improper access to or misuse of” the sloppily-stored credentials, the tech giant says it is contacting affected users to ensure that passwords are reset.

In a blog post Google admits that way back in 2005 it made a mistake when coding a password recovery feature in the G Suite admin console which caused unscrambled plaintext passwords to be stored on its servers.

That goof means that any Google employee who had access to the servers where the unprotected passwords were stored could have accessed the highly sensitive credentials.

As Google’s blog post succinctly describes the situation:

“This practice did not live up to our standards.”

Google says it has now fixed the bug, and is keen to emphasise that it was only G Suite enterprise customers whose passwords may have been put at risk, not consumers.

It turns out, however, that Google’s password storage problems didn’t stop there, as it has also admitted it introduced another problem earlier this year:

“In addition, as we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days. This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords.”

Google says it has notified administrators to change impacted passwords, and “out of an abundance of caution” will reset accounts that have not done so.

What Google hasn’t said is just how many of its corporate clients have been impacted by the issue, only stating that “a subset of [its] enterprise G Suite customers” are affected.

Hmm. A “subset” could mean any percentage between one and 99% of G Suite’s over five million business customers. One can only assume that Google doesn’t want to give a figure because it fears it will look bad, and compound the damage already done to its credibility by this embarrassing security faux pas.

Of course, it should go without saying that if you feel the need to change the passwords for your company’s Google accounts make sure that you also use the opportunity to ensure that you are not using the same passwords anywhere else on the internet.

On the theme of enhancing your company’s security, don’t turn a blind eye to the benefits – recently underlined by Google itself – of the proven security benefits of having additional layers of security such as two-step verification.



Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like