Skip to main content
close search
site logo
Dive Brief

Google left some G Suite passwords unhashed for almost 15 years

Published May 22, 2019
Naomi Eide's headshot
Managing Editor
Photo by Paweł Czerwiński on Unsplash

Dive Brief:

  • In a security lapse, Google stored a "subset" of business customers' G Suite passwords unhashed since 2005, said Suzanne Frey, VP of engineering, cloud trust at Google Cloud, in a blog post Tuesday. The company has thus far found no evidence of "improper access to or misuse of" the passwords, which were stored on the company's encrypted internal systems.

  • In a separate incident beginning in January, Google found unhashed passwords related to G Suite customer sign-up stored for a maximum of two weeks, Frey said. The company has fixed both flaws.

  • Google said it contacted G Suite administrators at companies affected by the password function. If an impacted company has not reset accounts, Google will do it "out of an abundance of caution."

Dive Insight:

In its role as a leading vendor and Silicon Valley giant — privacy concerns and regulatory attention aside — Google Cloud is working to set security standards for technology. The company serves as an evangelist for best practices in cybersecurity and boasts of efforts like introducing security keys to show how small changes can improve a company's risk posture.

With the password storage, for almost 15 years Google fell short of its self-imposed standards. And while no consumers were impacted, which will likely keep the company out of regulatory spotlight, it could tarnish business customer trust in Google's services.

At the root of the flaw is hashing; Google was storing some G Suite business user passwords in plaintext.  

When a user sets a password on a Google account, the company usually hashes it, scrambling the exact characters to store it with a username, according to Frey. "It is simple to scramble your password, but nearly impossible to unscramble it."

If a user forgets the password, Google can only reset and offer a temporary password for an account. It can't unscramble the original password.

Google has transparency on its side. The company owned up to its mistake and apologized. But it is trying to appeal more to enterprise customers and any security mishaps are closely watched in a risk conscious industry. Experts and tool adopters keep reputation top of mind.

Filed Under: Security, Corporate

Editors' picks

Company Announcements

View all | Post a press release
Revenera Monetization Monitor 2025: Product Usage Insights Drive Better Roadmaps
From Revenera
November 25, 2024
New Research Reveals AI's Impact on IT's Power, Status, and Pay
From 1E
November 21, 2024
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell