Security Alerts Google reveals G Suite users’ passwords have been stored in plaintext

Wednesday, May 22, 2019

Google becomes the latest technology giant to have accidentally store its users’ passwords unprotected in plaintext on its servers. On Tuesday, May 21, it was revealed that Google’s G Suite platform mistakenly stored unhashed passwords of some of its enterprise users on internal servers in plaintext for 14 years because of a bug in the password recovery feature.

G Suite, formerly known as Google Apps, is a collection of cloud computing, productivity, and collaboration tools that have been designed for corporate users with email hosting for their businesses.

The flaw, which has not been patched, resided in the password recovery mechanism for G Suite customers that allows enterprise administrators to upload or manually set passwords for any user of their domain without actually knowing their previous passwords in order to help businesses with on boarding employees and for account recovery. Google says the plaintext passwords were not stored on the internet but on its own secure encrypted servers and that the company found no evidence of anyone’s password being improperly accessed.

In order to address the issue, Google has since removed the capability from G Suite administrators and emailed them a list of impacted users, asking them to ensure that those users reset their passwords.