Corporate mail breach at Gmail? Google stored unencrypted G Suite user passwords for almost 15 years

Web application security specialists reported that Google made a serious security error when securing the passwords of some of its business clients because, for nearly 14 years, the company stored them in plain text by accident.

The incident impacts only users of G Suite, service that provides multiple Google products with a custom domain name for enterprise clients. This flaw would have been caused by an error in the implementation of a feature to manually configure and retrieve passwords.

G Suite service managers had access to a console from which they could set up accounts for new employees in their company; subsequently, the passwords were secured (process known as hashing) before being stored by Google.

According to web application security experts, hashing is an irreversible unilateral operation performed by Google. When a user provides their password, the information is analyzed and compared to the company’s stored data; if there is a match, the password is valid and the user gets access to the service.

Recently, Google recognized that an unsecured copy of the password was stored in the company’s systems by carelessness. “We can ensure that, despite this inconvenience, confidential information was kept in an encrypted protected infrastructure and there is no evidence of unauthorized access”, says Google’s engineering team.

In addition to this incident, Google revealed a second error occurred in the early 2019, when more unencrypted passwords were discovered stored in the company’s systems. On this occasion, the confidential information was “exposed” for at least two consecutive weeks; Google’s security teams ensure that both incidents have been fixed.

According to web application security specialists from the International Institute of Cyber Security (IICS), the next step for Google is to alert the affected G Suite service administrators in both incidents to reset the passwords if it’s necessary.

In case of not locating affected G Suite users, Google could automatically reset these exposed passwords.