On Tuesday, Google revealed a bug that left G Suite users' passwords stored in plain text for the last 14 years. For the uninitiated, passwords aren't supposed to be stored in that format, as doing so would leave them vulnerable to potential data breaches.
To be clear, the passwords were encrypted but unhashed. It's the kind of bug that could have enabled Google employees to access users' credentials, although the company pointed out that no such access occurred.
Passwords In Plain Text
To be clear, the bug only affects G Suite business users; free users are unaffected.
"We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials," said Google Cloud's VP of engineering Suzanne Frey.
The bug in question came as the result of an "error" in a password recovery implementation that left some of Google's passwords unhashed on it internal systems since 2005 until that method was discontinued. Though Google says there's "no evidence" that someone had misused any information, there's the possibility that an intruder could have had direct access to logins if they cracked the encryption.
The Importance Of Hashing
Hashing is a security technique that allows Google to give users access to their accounts without it knowing what their password are. Google's sign-in system matches the hash with the one Google has stored. It's an incredibly secure way to scramble and further secure one's account credentials. The bug in question was the result of a flawed implementation whereby passwords were stored and encrypted but never passed through Google's hashing algorithm.
Despite there being no record of any breach, Google isn't taking any chances and has asked G Suite administrator's to change passwords. It's also automatically resetting passwords for those who do nothing. Again, free Google accounts aren't affected by the bug, so they shouldn't be worried.
"To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords," said Frey.
The incident underscores the importance of strong multi-factor authentication, as Gizmodo notes. It is easy to lose control of passwords, so it makes sense why businesses would prevent vulnerabilities by layering passwords with multiple authentications factors. In addition, it's also a cautionary tale stressing how crucial it is to prioritize security from the get-go. If companies don't, there's a high chance of incidents such as this one later on.