- Google accidentally kept un-encrypted user passwords belonging to its enterprise customers on its internal servers for a period of more than a decade, the company revealed in a corporate blog post on Tuesday.
- “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” Suzanne Frey, Google Cloud VP of Engineering wrote.
- The implementation error causing the issue happened 2005 and according to TechCrunch, wasn’t discovered until April of this year.
- Google did not estimate how many user accounts were impacted, nor did the company answer Business Insider’s question regarding the number of improperly stored passwords.
- The company said “we have seen no evidence of improper access to or misuse of the affected passwords.”
- Visit Business Insider’s homepage for more stories.
“We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” Suzanne Frey, Google Cloud VP of Engineering wrote.
Google said the issue stemmed from giving account administrators – for instance, a company’s head of IT – the ability to manually set passwords for employees – say, on an someone’s first day. But back in 2005, an error was made, Google said, and the admin portal ended up storing unhashed copies of passwords on the tech giant’s encrypted servers. In other words, for the past 14 years, some G Suite users have had their corporate passwords stored in such a way that would have been readable by authorized personnel, like account administrators or certain Google employees.
Google first found the issue this April and said it has since been fixed. In its blog post Tuesday, Google did not estimate how many user accounts were impacted, nor did the company answer Business Insider’s question regarding that number.
This February, Google announced that its G Suite platform – which includes apps like Gmail, Docs, and Hangouts – has over 5 million paying businesses.
“To be clear, these passwords remained in our secure encrypted infrastructure,” Frey wrote. “This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”
Google said G Suite administrators have been notified and that it will update passwords that have not already been changed. It also said that none of its free consumer accounts were included in the mishap.
With Tuesday’s news, Google joins other tech giants – most notably Facebook – that have struggled to keep user passwords and other data safe and secured. In March, Facebook admitted to storing hundreds of millions of user passwords in plaintext for years, available to be seen by any of its 20,000 employees.
Do you work at Google? Got a tip? Contact this reporter via Signal or WhatsApp at +1 (209) 730-3387 using a non-work phone, email at firstname.lastname@example.org, Telegram at nickbastone, or Twitter DM at @nickbastone.