While passwords on Google systems are these days encrypted using an algorithm, Google has discovered that the way it implemented password setting and recovery for its enterprise offering (G Suite – formerly known as Google Apps in 2005 was not robust. The company had been storing a copy of the password in plaintext, and this error was not discovered until April 2019 (and declared by Google on May 21).
The actual number of G Suite customers affected has not been disclosed (there are currently some 5 million users of the service, which includes apps like Gmail, Docs, and Hangouts).
Commenting on the cybersecurity lapse, Google vice president of engineering Suzanne Frey tells TechCrunch: “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed.” She adds that there has been no impact upon consumer accounts.
Speaking with Digital Journal, Kevin Gosschalk, CEO, Arkose Labs states that there are wide lessons to be learnt from the incident: “Companies need to be constantly re-evaluating and testing their own security measures to make sure lapses in security or, in this instance, a faulty password setting and recovery offering, does not jeopardize its customers or their accounts. Google has more than 5 million enterprise customers using G Suite, and this mistake should have been recognized and prevented fourteen years earlier with proactive, ongoing security testing.”
The Google issue follow on from a similar one affecting Facebook. In March, Facebook declared that it had been storing hundreds of millions of user passwords in plaintext for years, and these passwords had been available to be seen by any of its 20,000 employees.
