sb-eu logo
Story image

Google 'will do better' after G Suite passwords exposed since 2005

23 May 2019

Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption. Most people would expect that global tech companies with billions of dollars on hand would know better.

But this week Google was once again left red faced, after the company admitted that its G Suite software had left enterprises users’ passwords completely exposed since at least 2005.

The problem lay in a tool that allows domain administrators to set and recover passwords manually for users. This meant that new employees could receive account information on their first day of work, and for account recovery.

However, Google made a mistake when it deployed that functionality in 2005. It turns out the admin console stored a copy of the plain-text password, completely unhashed and unencrypted.

“To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords,” Google's Cloud Trust VP of engineering Suzanne Frey explains in a blog.

That mistake is counter to Google’s standard password policies. Its sign-in system is designed not to uncover password. Instead it uses hash functions to encrypt and scramble passwords. Plain-text passwords transform letters and numbers into sequences that look something like “72i32hedgqw23328”.

Those hash functions are almost impossible to unscramble. When a user forgets their password, Google says it can’t unscramble that password – it can only set a temporary password and require the user to choose a new one.

“In addition, as we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days. This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords. We will continue with our security audits to ensure this is an isolated incident.”, Google continues.

Google says it has notified G Suite administrators and asked them to change all passwords affected by the errors.

“Out of an abundance of caution, we will reset accounts that have not done so themselves. Our authentication systems operate with many layers of defense beyond the password, and we deploy numerous automatic systems that block malicious sign-in attempts even when the attacker knows the password.” 

“In addition, we provide G Suite administrators with numerous 2-step verification (2SV) options, including Security Keys, which Google relies upon for its own employee accounts.”

Google says it says apologises to its users and takes enterprise customers’ security ‘extremely seriously’. It also says it prides itself on shaping best practices for account security.

The company adds that it will do better.

Story image
Jamf extends Microsoft collaboration with iOS Device Compliance
Organisations will soon be able to use Jamf for Apple ecosystem management while using Azure Active Directory and Microsoft Endpoint manager to maintain conditional access.More
Story image
Spending on managed security services in A/NZ to grow despite COVID headwinds
COVID-19 has changed security priorities significantly, and managed security services in A/NZ are set to benefit. More
Story image
Cryptomining trojan malware discovered by ESET researchers
The malware, primarily targeting victims in Czechia and Slovakia, prioritises subterfuge through deployment of multiple techniques to avoid detection, and leans heavily on the Tor network and BitTorrent protocol to achieve its goals.More
Story image
ESET launches the latest version of its Mobile Security solution
“With this latest version of ESET Mobile Security, we want to ensure our users feel completely secure when performing financial transactions on their devices, in addition to being protected from malware and phishing attempts."More
Story image
Radware issues security alert, warning of global rise of DDoS-for-hire
Efforts from corporations, law enforcement and independent researchers around the world have attempted in the last two years to curb this growth – but the industry keeps growing says Radware information security researcher Daniel Smith.More
Story image
BT Security shakes up roster of vendors after 'largest ever' partner review
BT says the decision to review their security partner base was driven by the recognition that many customers find it difficult to navigate today’s complex security landscape, as well as customers’ desire to have a ‘leaner set of partners’.More