In brief: After Facebook and Twitter admitted to the same thing, Google says it has also found a bug that caused it to store some passwords in plain text. The issue, which only affected a portion of enterprise G Suite users, has been around since 2005. Thankfully for Google and its users, there’s no evidence that any of the passwords were improperly accessed.
The problem arose from a now-removed feature in G Suite enterprise accounts. Google had allowed domain administrators to manually set passwords for a company’s users so new starters could quickly log into accounts on their first day. But an error when implementing the feature back in 2005 meant the admin console stored a copy of these passwords in plain text.
Additionally, Google discovered that it had been accidentally storing unhashed G Suite customer passwords for a maximum of 14 days starting in January 2019. Again, the issue has been fixed, and there was no evidence of improper access.
While the plain text passwords were stored internally on Google’s secure servers, the company has contacted G Suite admins and told them to change those that are affected. It will be resetting any accounts that fail to comply.
Back in March, Facebook revealed that “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users” had their passwords stored in an unencrypted, readable format. It later admitted that millions, not thousands, of Instagram users were affected.
Twitter has also experienced similar issues. The site advised all 330 million users to change their passwords last year after a bug stored them in plain text.
While the issue only affected a subset of G Suite users, and no unhashed passwords were stolen, this will still be an embarrassment for Google. The company admits it “did not live up to our own standards, nor those of our customers.”
In other Google news, the company earlier this week published research showing the importance of adding recovery phone numbers to its accounts.