Google has revealed a security lapse in its G Suite service that has existed since 2005, in which some user passwords were stored in plaintext in its encrypted internal systems. The search giant said the issue affected only a small set of enterprise users, though it did not confirm the exact number of affected customers.
The security lapse was due to an error the company made with a particular G Suite functionality which had allowed domain administrators to manually set, upload, or recover passwords for users within their organization. The tool, found in the admin console, was specifically used to help in situations where new employees were on-boarded, for example. Google clarifies, though, that the ability to recover passwords in this manner has been discontinued.
However, the admin console accidentally stored the passwords in an un-hashed state, contrary to Google's standard security practices. The Mountain View-based internet giant acknowledged the omission on its part and assured enterprise users that no user password was compromised due to this particular incident, which has now been fixed.
In another instance of security oversight, Google confirmed that it "had inadvertently stored a subset of un-hashed passwords in our secure encrypted infrastructure" for a maximum of two weeks since January 2019. The incident was spotted when the company was troubleshooting new G Suite customer sign-ups, though it made sure that there has been no unauthorized access to those passwords.
Affected users have since been notified about the un-hashed password storage. Suzanne Frey, Google's Vice President for Engineering within its Cloud Trust unit, also stated that the firm will reset accounts that have not made a password reset yet.