After Facebook admitted that passwords of hundreds of millions of users were stored in plaintext, it is now Google’s turn to reveal similar security lapse. The search giant has confirmed that it had mistakently stories passwords of a small number of its enterprise customers in plaintext. The details regarding hosting user passwords in plaintext was disclosed on Tuesday but the company did not reveal how many enterprise customers were affected. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Suzanne Frey, Vice President of Engineering at Google.
Tech companies typically use hashing algorithms that scramble password from being read by humans. In the case of G Suite, administrators can manually upload, set and recover new user passwords for company users, which is designed to help when new users are on-boarded at enterprises. Google has now said that it discovered in April that the method used for password setting and recovery for its enterprise customers since 2005 was faulty. This led to user passwords being stored improperly and a copy of the password was stored in plaintext.
According to TechCrunch, Google has removed the feature and Frey adds that no consumer Gmail accounts were affected by this security lapse. “To be clear, these passwords remained in our secure encrypted infrastructure,” said Frey. “This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”
Google has more than 5 million enterprise customers using G Suite. Earlier this month, the company reportedly also discovered a second security lapse while it was troubleshooting new G Suite customer sign-ups. The security lapse, according to Google, is related to improperly storing “a subset” of unhashed G Suite passwords on its internal systems for up to two weeks since January. These systems were only accessible by a limited number of authorized Google staff, the company added. “This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords,” Frey confirmed.
Watch: Android Q First Look
As a preventive measure, Google has notified G Suite administrators to warn of the password security lapse. It will reset account passwords for those who have yet to change and a Google spokesperson has confirmed that the same has been communicated to data protection regulators as well.