Google Has Stored Some Passwords in Plaintext Since 2005

On the heels of embarrassing disclosures from Facebook and Twitter, Google reveals its own password bugs—one of which lasted 14 years.
People peer through portholes on a Google Inc. wall
Angel Garcia/Bloomberg/Getty Images

It happened again: Google announced today that it's the latest tech giant to have accidentally stored user passwords unprotected in plaintext. G Suite users, pay attention.

Google says that the bug affected "a small percentage of G Suite users," meaning it does not impact individual consumer accounts, but does affect some business and corporate accounts, which have their own risks and sensitivities. The company typically stores passwords on its servers in a cryptographically scrambled state known as a hash. But a bug in G Suite's password recovery feature for administrators caused unprotected passwords to be stored in the infrastructure of a control panel, called the admin console. Google has disabled the features that contained the bug.

Before it did so, the passwords would have been accessible to authorized Google personnel or malicious interlopers. Each organization's administrator could have also accessed the plaintext passwords for the account holders within their group.

Twitter and Facebook have dealt with plaintext password bugs of their own in the past 18 months. But where those two companies both concluded that it was unnecessary to auto-reset user passwords, Google is taking the step "out of an abundance of caution." At the time, Twitter would not comment on how long it had been storing users' passwords in plaintext. Facebook's bug dated back to 2012.

Google's bug, meanwhile, has existed since 2005—a year before "Google For Work" even became an official offering. And while the company emphasizes that it has no evidence that the plaintext passwords were ever accessed or abused, 14 years is a long time for sensitive data to hang around unnoticed.

"Our authentication systems operate with many layers of defense beyond the password, and we deploy numerous automatic systems that block malicious sign-in attempts even when the attacker knows the password," Google vice president of engineering Suzanne Frey wrote in a blog post. "In addition, we provide G Suite administrators with numerous two-step verification (2SV) options. ... We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security. Here we did not live up to our own standards."

Google is in the process of notifying G Suite administrators, and says that it will also automatically reset any impacted passwords that haven't already been changed. The company discovered the bug in April, and an additional plaintext password bug in May during the course of its investigation. The latter accidentally stored plaintext passwords for new G Suite customers as they completed their sign-up. That bug only went into effect in January 2019, and those unhashed passwords were only stored for a maximum of 14 days. Google says that it has fixed both the main admin console plaintext bug and the more recent sign-up flow issue.

"Google typically has a decent track record of catching bugs fast and remediating them, so the fact that this was around since 2005 and wasn’t caught is disconcerting," says David Kennedy, CEO of the enterprise penetration testing firm TrustedSec. "We have seen this with Twitter, Facebook, and multiple other organizations where legacy processes or applications cause clear text passwords to be exposed internally. And even if it's only internal it still creates a substantial privacy and security concern."

Since all impacted passwords that haven't already been changed will be auto-reset by Google, you should focus on adding two-factor authentication to your G Suite account if you don't already have it—and maybe cross your fingers that these passwords went unnoticed for 14 years.


More Great WIRED Stories