sb-nz logo
Story image

Google 'will do better' after G Suite passwords exposed since 2005

23 May 2019

Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption. Most people would expect that global tech companies with billions of dollars on hand would know better.

But this week Google was once again left red faced, after the company admitted that its G Suite software had left enterprises users’ passwords completely exposed since at least 2005.

The problem lay in a tool that allows domain administrators to set and recover passwords manually for users. This meant that new employees could receive account information on their first day of work, and for account recovery.

However, Google made a mistake when it deployed that functionality in 2005. It turns out the admin console stored a copy of the plain-text password, completely unhashed and unencrypted.

“To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords,” Google's Cloud Trust VP of engineering Suzanne Frey explains in a blog.

That mistake is counter to Google’s standard password policies. Its sign-in system is designed not to uncover password. Instead it uses hash functions to encrypt and scramble passwords. Plain-text passwords transform letters and numbers into sequences that look something like “72i32hedgqw23328”.

Those hash functions are almost impossible to unscramble. When a user forgets their password, Google says it can’t unscramble that password – it can only set a temporary password and require the user to choose a new one.

“In addition, as we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days. This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords. We will continue with our security audits to ensure this is an isolated incident.”, Google continues.

Google says it has notified G Suite administrators and asked them to change all passwords affected by the errors.

“Out of an abundance of caution, we will reset accounts that have not done so themselves. Our authentication systems operate with many layers of defense beyond the password, and we deploy numerous automatic systems that block malicious sign-in attempts even when the attacker knows the password.” 

“In addition, we provide G Suite administrators with numerous 2-step verification (2SV) options, including Security Keys, which Google relies upon for its own employee accounts.”

Google says it says apologises to its users and takes enterprise customers’ security ‘extremely seriously’. It also says it prides itself on shaping best practices for account security.

The company adds that it will do better.

Story image
FortiGuard appoints former cyber warfare officer
Former RAAF cyber warfare officer Mark Robson has been appointed as senior tactical threat analyst in FortiGuard’s managed detection and response team, FortiResponder.More
Link image
Webinar: Securing privileged access to stop attackers in their tracks
Thycotic's immersive webinar will demonstrate how attackers acquire passwords on endpoints and access critical cloud applications — without being detected.More
Story image
Soft Solutions rolls out new WatchGuard billing system for NZ
"This flexible procurement model builds upon our partner first strategy, supports companies in their cloud transformation and allows them to benefit from increased protection and flexible, scalable IT infrastructure."More
Story image
Cybersecurity budgets still not keeping up with threats — report
Executive teams are failing to recognise the level of damage cyber-threats pose to organisations, according to Sophos — many of them taking a ‘conservative approach’ to cybersecurity expenditure.More
Story image
Major firms disclose breaches in the wake of SolarWinds attack
Microsoft, Shell, GoDaddy, MobiKwik — these are just some of the high-profile company's on the receiving end of sophisticated attacks, writes Bitglass senior director of marketing Jonathan Andresen.More
Story image
Kroll completes Redscan acquisition, expands cyber risk portfolio
With the addition of Redscan and its extended detection and response (XDR) enabled security operations centre (SOC) platform, Kroll expands its Kroll Responder capabilities to support a wider array of cloud and on-premise telemetry sources.More