Google revealed in a blog post that a bug that has been around since 2005 caused some G Suite users to have their passwords stored in plain text.
Passwords stored with cryptographic hashes
"Google’s policy is to store your passwords with cryptographic hashes that mask those passwords to ensure their security. However, we recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed," read the blog.
The firm pointed out that no free Google users were affected by the bug and that there is currently no evidence that any passwords were improperly accessed. The firm has informed administrators that may have been affected and is resetting all potentially affected passwords.
"This is a G Suite issue that affects business users only–no free consumer Google accounts were affected–and we are working with enterprise administrators to ensure that their users reset their passwords. We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials," read the blog.
G Suite is the corporate version of Gmail. The bug surfaced in this product because of a feature designed to allow companies' administrators to set user passwords manually.
"In our enterprise product, G Suite, we had previously provided domain administrators with tools to set and recover passwords because that was a common feature request. The tool (located in the admin console) allowed administrators to upload or manually set user passwords for their company’s users," read the blog.
That feature has now been canceled. Google's blog goes on to explain just how cryptography works, likely in an attempt to calm any fears that the bug revelation may have caused. It should be noted that though the passwords were stored in plain text, they were done so in Google’s private servers, not out on the open internet.
In addition, to informing all those affected by the bug the firm is also resetting accounts that do not do so themselves. Finally, Google also apologized for the mishap and made a promise to do better in the future.
"We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security. Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better," concluded the blog.