Google revealed that the passwords of some of its enterprise G Suite users were stored in plain text, due to an issue dating back to 2005.
The issue stems from the implementation of a feature allowing administrators to manually set and recover passwords, causing the G Suite admin console to store a copy of the unhashed password.
Google said this only affected business users and no free consumer-grade Google accounts were affected.
“We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security,” Google VP for engineering for Cloud Trust Suzanne Frey said in a blog post.
“Here we did not live up to our own standards, nor those of our customers. We apologise to our users and will do better.”
Google uses a hash function to encrypt user passwords and store them alongside usernames, which are then encrypted before being saved.
G Suite previously provided domain administrators with tools to set and recover passwords, where they can upload or manually set user passwords for their company’s users. The company said it “made an error” on the admin console storing a copy of the unhashed password.
“This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure,” Frey said.
“This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”
Frey added that Google discovered that it inadvertently stored a subset of unhashed passwords starting in January 2019 for up to 14 days, but said the issue has since been fixed and found no evidence of improper access to or misuse of the affected passwords.