News

Google openly stored G Suite passwords for 14 years

Google joined list of companies that are reckless to users’ data.

Company reported that accidentally stored passwords as an open text. G Suite users have to be attentive to it.

Google says that error touched “small percent of G Suite users”, so will not affect on separate users’ accounts though may affect some corporate accounts.

As a rule company stores passwords on its servers in the encrypted state, known as hash. G Suite is a corporate Gmail version and, apparently, error emerged in this product because of function, developed specially for the company.

Initially company’s administrator could use G Suite applications for manual passwords installation and administrator’s console preserved these passwords as a simple text instead of hashing.

Google has already disabled function that contained a mistake.

Previously passwords were available to authorized Google employees and attackers. Administrator of every organization could also get access to non-encrypted users’ passwords in his group.

Recall that earlier Twitter and Facebook encountered similar issue. A t that time Twitter did not comment, how long it stored non-encrypted users’ passwords. Facebook’s bug existed since 2012 while Google’s error existed for 14 years, since 2005.

David Kennedy

“As a rule, Google has decent track record that allows quickly detect and improve mistakes, so the fact that it happened unnoticed since 2005 is puzzling” – says David Kennedy, TrustedSec CEO on testing of invasions on enterprises.

Currently Google notifies G Suite administrators and reports that will automatically reset all affected passwords that have not yet been changed.

“We saw that on Twitter, Facebook and other organizations, where outdated processes and applications lead to availability of passwords as an open text outside the company. An even if access is internall only, it still presents significant issue of authorization and security” – said David Kennedy.

As it usually happens in such cases, Google apologizes and regrets.

We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security. Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better.

Source: https://www.theverge.com

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

View Comments

Recent Posts

Remove Pbmsoultions pop-up ads (Virus Removal Guide)

Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…

2 days ago

Remove Prizestash pop-up ads (Virus Removal Guide)

Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…

2 days ago

Remove Verifiedbreaking pop-up ads (Virus Removal Guide)

Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…

2 days ago

Remove Themoneyminutes pop-up ads (Virus Removal Guide)

Themoneyminutes.com is a domain that tries to force you into subscribing to its browser notifications…

2 days ago

Remove News-xcidizi pop-up ads (Virus Removal Guide)

News-xcidizi.com is a domain that tries to trick you into clik to its browser notifications…

2 days ago

Remove Everytraffic-flow pop-up ads (Virus Removal Guide)

Everytraffic-flow.com is a domain that tries to trick you into subscribing to its browser notifications…

2 days ago