G Suite Users Change Their Passwords Because of a Credential Storage Blunder

G Suite Plaintext Passwords

Google has made not one, but two password storage mistakes that directly affect some of its users. This type of news is bound to get quite a few people upset, but before everyone starts pulling their hair out, let's take a look at what actually happened, who should be worried, and what needs to be done.

The news came to light earlier today after Suzanne Frey, Google's VP of Engineering and Cloud Trust, wrote a blog post explaining the problem. One of the first things you need to know is that consumer Google accounts were not affected. The blog post didn't say how many users had their passwords improperly handled, but it did note that they all belong to enterprise customers who pay to use Google's G Suite apps. In other words, your Gmail login credentials have been kept safe.

Google inadvertently stored some passwords in plaintext

To find out what Google's first password storage mistake was, we need to rewind the tape by about fifteen years. Back then, the search engine giant was receiving quite a few feature requests from G Suite administrators who wanted to have more control over users' passwords. They wanted to have the ability to recover, assign, and upload passwords for individual users which was supposed to, among other things, streamline the process of adding new people to the enterprise network. In 2005, the feature was added to the admin console.

It has since been replaced by a more efficient and safer way of handling users' passwords, but last month, Google realized that due to an implementation error, the feature had left copies of some passwords in plaintext.

The second password storage blunder is from January 2019. Google hasn't shared too many details on this one, but we do learn from Suzanne Frey's account that while they were troubleshooting a login problem for one of their clients, her team discovered that changes made four months ago resulted in G Suite storing passwords in plain form.

Passwords weren't leaked outside Google's infrastructure

Google is feeling rather embarrassed about the whole thing. In the notification, Suzanne Frey apologizes for the mistakes and notes that the poor showing of account security is not up to Google's standards. She also says that her team is working tirelessly to audit all the systems and ensure that similar incidents don't happen again. It is indeed worrying when you hear that even the biggest companies like Google are struggling with correct password storage, but even so, there are one or two things to suggest that it's not as bad as it seems.

First of all, Suzanne Frey points out that the plaintext passwords were found on Google's internal infrastructure. This doesn't change the fact that they weren't supposed to be there, but it does mean that only Google employees had access to them. Frey's team is still investigating the issues, but she did say that there's no evidence of any misuse of the leaked data. Nevertheless, the administrators of the affected organizations have already been notified, and the users who had their G Suite passwords exposed will be forced to change them very soon.

All in all, Google seems to be handling the problem rather well, but it's not all good news. We've recently witnessed a few similar incidents, and all of them involved large services with hundreds of millions of users. Just over a year ago, Twitter admitted that for a limited period of time, the passwords of all its users had been stored in plaintext. More recently, Facebook also said that millions of login credentials had been left in readable form on the social network's backend systems. A worrying trend seems to be emerging, and we can only hope that the Silicon Valley giants have been paying attention and will learn their lessons.

May 22, 2019

Leave a Reply