Google has notified an unspecified number of its enterprise customers that their passwords have been stored in plaintext inside the company’s internal encrypted systems due to a technical issue that has existed since 2005.
The issue does not affect free Gmail consumer accounts, but only the enterprise accounts that Google refers to as G Suite. “We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse” of the affected credentials, Suzanne Frey, vice president of engineering in Google’s cloud division, wrote in a blog post Tuesday.
Frey apologized to users for not storing the passwords with cryptographic hashes, which is an industry best practice that prevents the data host from seeing a password in plaintext.
“We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security,” Frey said. “Here we did not live up to our own standards, nor those of our customers.”
Frey said the tech giant erred in setting up the G Suite functionality in 2005 because an administrative console stored a copy of passwords in plaintext. In January 2019, she added, Google found that it had “inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure” for up to two weeks. Those issues have been fixed, she said.
Google is encouraging enterprise administrators to have users reset their passwords. “Out of an abundance of caution, we will reset accounts that have not done so themselves,” she wrote.