Even companies that are normally quite good at providing security for their users occasionally wind up with egg on their faces. Google is a classic case in point, in this instance. Recently, the company announced that a bug in an older segment of their GSuite code base resulted in the recent discovery that the company had been storing customer passwords in an encrypted but un-hashed form for more than a decade.
Somehow, this bug managed to go undetected for a staggering fourteen years. On discovering it, the company immediately corrected the issue, so there’s nothing for GSuite users to do at this point. Although, the company is recommending that all GSuite Enterprise customers immediately change their passwords just to be safe.
The company also notes that only GSuite Enterprise customers were impacted. If you’re just a regular Gmail user, your password was not exposed in the manner described above. Google’s official statement about the matter reads, in part, as follows: “To be clear, these passwords remained in our secure encrypted infrastructure. The issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”
This is the second time in recent months that the company has found itself dealing with issues of exposed passwords in systems that were thought to be highly secure. Again, this is proof positive that even the largest companies with generally good reputations where security is concerned can misstep.
GSuite Admins have been notified and instructed to reset all user passwords that had been set using the old tool. If you’re one of the impacted users, odds are excellent that this has already been done. If you’re not sure, take the time to query your IT staff just to be sure that base is covered.