Google openly stored G Suite passwords for 14 years
Google joined list of companies that are reckless to users’ data.
Company reported that accidentally stored passwords as an open text. G Suite users have to be attentive to it.Google says that error touched “small percent of G Suite users”, so will not affect on separate users’ accounts though may affect some corporate accounts.
As a rule company stores passwords on its servers in the encrypted state, known as hash. G Suite is a corporate Gmail version and, apparently, error emerged in this product because of function, developed specially for the company.
Initially company’s administrator could use G Suite applications for manual passwords installation and administrator’s console preserved these passwords as a simple text instead of hashing.
Google has already disabled function that contained a mistake.
Previously passwords were available to authorized Google employees and attackers. Administrator of every organization could also get access to non-encrypted users’ passwords in his group.
Recall that earlier Twitter and Facebook encountered similar issue. A t that time Twitter did not comment, how long it stored non-encrypted users’ passwords. Facebook’s bug existed since 2012 while Google’s error existed for 14 years, since 2005.
“As a rule, Google has decent track record that allows quickly detect and improve mistakes, so the fact that it happened unnoticed since 2005 is puzzling” – says David Kennedy, TrustedSec CEO on testing of invasions on enterprises.
Currently Google notifies G Suite administrators and reports that will automatically reset all affected passwords that have not yet been changed.
“We saw that on Twitter, Facebook and other organizations, where outdated processes and applications lead to availability of passwords as an open text outside the company. An even if access is internall only, it still presents significant issue of authorization and security” – said David Kennedy.
As it usually happens in such cases, Google apologizes and regrets.
Source: https://www.theverge.com
One Comment