Google says a small number of its enterprise customers
mistakenly had their passwords stored on its systems in plaintext.
If you have a Google account, Google's core sign-in system
is designed not to know your password.
The search giant disclosed the exposure Tuesday but declined
to say exactly how many enterprise customers were affected. “We recently notified
a subset of our enterprise G Suite customers that some passwords were stored in
our encrypted internal systems unhashed,” said Google vice president of
engineering Suzanne Frey.
The company said that only G Suite enterprise customers were
impacted, but not regular Gmail accounts.
The tech giant said it had notified G Suite administrators
to change the impacted passwords.
Google on Wednesday extended an apology to its G Suite
customers.
"We apologise to our users and will do better,"
she added.
Most G Suite customers are companies that signed-up for
enterprise versions of Gmail, Google Docs, Google Sites, Google Drive, and
Google's various other services.
No consumer Gmail accounts were affected by the security
lapse, said Frey.
Storing passwords without cryptographic hashes expose them
to hacking risk as they become readable.
Passwords are typically scrambled using a hashing algorithm
to prevent them from being read by humans. G Suite administrators are able to
manually upload, set and recover new user passwords for company users, which
helps in situations where new employees are on-boarded. But Google said it
discovered in April that the way it implemented password setting and recovery
for its enterprise offering in 2005 was faulty and improperly stored a copy of
the password in plaintext.
Google has since removed the feature.
Google said the bug at the heart of this security breach was
an old tool it developed back in the 2000s.
"The tool (located in the admin console) allowed
administrators to upload or manually set user passwords for their company's
users," the company said today.
