2 min

Google accidentally stored some of the passwords of G Suite users as plaintext. The error that caused this hit, according to the internet giant, a “small percentage of G Suite users”, reports Wired. The functions with the error are now disabled.

Google normally stores passwords on its servers in a cryptographic state known as a hash. However, an error in the password recovery function for administrators in G Suite caused unprotected passwords to be stored in the infrastructure of a control panel called the admin console.

The passwords were therefore accessible to authorised Google personnel, malicious people who were able to enter the infrastructure and the administrators of companies and organisations. The latter would only be able to access the plaintext passwords of accounts within their own groups.

The error has existed since 2005, a year before Google for Work became an official product. The company stresses that it has no evidence that the plaintext passwords have ever been opened or abused.

Multiple layers of security

“Our authentication system works with many layers of protection in addition to the password, and we set up several automatic systems that block rogue login attempts, even if the attacker knows the password,” says vice president of engineering Suzanne Frey.

“In addition, we give G Suite administrators several two-step verification options. We take the security of our enterprise customers very seriously, and pride ourselves on bringing best practices to the account security industry. Here, however, we did not meet our own standards.”

Google is G Suite administrators to notify the problem. The company also says that it will automatically reset all the passwords that have not yet been changed.

Second fault

Google discovered the error in April. In May, however, the company discovered a plaintext password error during its investigation. The second error saved the passwords of new G Suite customers as plaintext after they had completed their login. This error only existed since January 2019. The unsecured passwords were also stored for a maximum of 14 days.

Google claims to have solved both errors.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.