Google, one of the world’s biggest enterprise software companies, recently reported that the passwords of many of its corporate customers in a readable format. This opened them up to attacks from hackers and malicious parties.
However, Google also mentioned that only a subset of their G Suite customers were affected by this. Consumer, free Google accounts were not affected at all.
In addition, these passwords were not hashed, but were still stored in Google’s secure infrastructure for passwords. The plaintext passwords were stored for a maximum of 14 days.
This issue has been in the system since 2005, and was caused due to a bug in one of the domain admin tools. This was the one to reset passwords. The security flaw came when the password was reset; a plaintext copy was stored by the admin console. Another copy ended up in Google’s infrastructure.
As one would guess, the plaintext password did not go through the hashing progress that makes Google’s passwords secure. Google ensured that the feature to recover lost passwords for G Suite customers no longer worked this way.
The issue was discovered in January 2019 while Google was troubleshooting sign up flows for G Suite implementations. Google’s sign in procedure is multi-fold.Every entered password is run through cryptography using a hash function to scramble the characters.
Upon the attempt to sign in to the account, the hash of the new password is checked against the stored hash to grant access to the account. This keeps the system secure, while keeping the password almost impossible to decode.
If the passwords were stored in plain text instead, an attacker could easily gain the credentials to a vast array of accounts. The unhashing functionality takes an unreasonable amount of compute and is not possible to execute in time for an attack.
The fact remains that even the plaintext passwords were stored behind many layers of security. This is the reason they were not found to be misused or accessed improperly in any way. The situation could have been worse in multiple ways. Even though this represents an incident that “did not live up to [Google’s] standards“, the passwords were not utilized to mount an attack.