Google revealed a bug on Tuesday that left enterprise G Suite passwords stored incorrectly for the last 14 years so that they were encrypted but unhashed. It’s a bug that could have allowed Google employees to access credentials — but Google was quick to point out no such access was detected.
The mistake only impacts business G Suite users, free users of Google products are unaffected.
“We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials,” said Suzanne Frey, Google Cloud’s Vice President of engineering.
Hashing is a useful technique in cryptography that allows Google to give you access to your accounts without knowing your password. Google’s sign-in system can match the hash — a numeric representation of the password — with the hash Google has stored. It’s a key way to scramble and further secure your account credentials.
The bug revealed today was traced back to a tool built in 2005 that allowed administrators to set passwords for new employees. The goal was to help with tasks like onboarding new users. But the implementation was flawed and passwords stored using this tool were encrypted but never passed through Google’s hashing algorithm.
“To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords,” Frey said.
Another bug revealed today by Google showed that unhashed passwords were stored for two weeks in Google’s infrastructure.
Affected administrators have been notified.
This is another incident that underlines the importance of strong multifactor authentication. It’s shockingly easy to lose control of a password — although no one appears to have accessed these improperly secured passwords — so it makes sense for business and personal use to secure your accounts with multifactor authentication.
Today, tomorrow, and every day: May we recommend a security key?