Google stored unhashed passwords due to an implementation error

• Google has been storing passwords in plain text since at least 2005 due to an error in the implementation of a feature that allows users to manually set and recover passwords.
• Google confirmed that there has been no evidence of any improper access to or misuse of the impacted G Suite passwords.

What is the issue?

Google accidentally stored unhashed passwords for some of its G suite users for almost 14 years due to an implementation error.

The big picture

Google has been storing passwords in plain text since at least 2005 due to an error in the implementation of a feature that allows users to manually set and recover passwords.

Suzanne Frey, Vice President of engineering, Google said that the implementation error led to storing a copy of the unhashed password on Google's encrypted systems.

“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure,” Frey said in a security notice.

What are the preventive measures taken?

• Google is currently working with G Suite administrators to ensure that their users' passwords are reset.
• It is also conducting a comprehensive investigation of the incident.

Issue Fixed

Google has confirmed that there has been no evidence of any improper access to or misuse of the impacted G Suite passwords. However, the issue has been fixed.

“We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security. Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better,” Frey concluded.