Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Google Warns G Suite Customers of Passwords Stored Unhashed Since 2005

Google on Tuesday said that some passwords for its G Suite customers were stored in an unhashed format since 2005.

Google on Tuesday said that some passwords for its G Suite customers were stored in an unhashed format since 2005.

“We are writing to inform you that due to legacy functionality that enabled customer Domain Admins to view passwords, some of your users’ passwords were stored in our encrypted systems in an unhashed format,” an email notice to G Suite administrators reads. “This primarily impacted system generated or admin generated passwords intended for one-time use.”

Suzanne Frey, a VP of Engineering at Google responsible for security, privacy, compliance and trust for Google Cloud, said in a blog post that it’s consumer Gmail accounts were not affected, but did not say how many G Suite Enterprise accounts were impacted.

“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password,” Frey said. “This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”

Frey also disclosed that Google had inadvertently stored a subset of unhashed passwords in its secure encrypted infrastructure starting in January 2019, noting that the issue had been fixed with no evidence of improper access to or misuse of the affected passwords during the timeframe.

The tech giant told G Suite administrators that it will force a password change on Wednesday, May 22, unless it has already been changed prior to that time.

Google provided the following password update methodology in the notice:

• Users With Single Sign On: We will reset their password by changing it to a randomly generated secure value. Please note that this will have no effect on their ability to log in using their Single Sign On credentials.


Advertisement. Scroll to continue reading.

• Other Users and Super Admins: We will terminate their sessions and prompt users to change their password at their next login.


• In addition, starting Wednesday, May 29, 2019 PT we will reset the password for users that have not yet selected a new password or have not had a password reset. These users will need to follow your organization’s password recovery process. Super Admins will not be impacted. For information on password recovery options please refer to the following Help Center Article.

In late March, Facebook admitted to storing the passwords of hundreds of millions of its users in plain text, including the passwords of Facebook Lite, Facebook, and Instagram users. GitHub also made a similar mistake in 218, after a bug caused internal logs to record passwords for some of its in plain text.

*Updated with comments from Frey

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybercrime

Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.