Google stored some G Suite passwords in unhashed form for 14 years
Google revealed that it recently discovered a bug that caused a subset of its enterprise G Suite customers to have their passwords stored in an unhashed — albeit encrypted — form for about 14 years.
“This is a G Suite issue that affects business users only — no free consumer Google accounts were affected — and we are working with enterprise administrators to ensure that their users reset their passwords,” Google said in a blog post disclosing the security lapse.
The company failed to specify exactly how many customers were affected this way. However, it went on to stress that it didn’t find any evidence of improper access.
G Suite is the company’s corporate version of Gmail and apps like Drive, Docs, and Hangouts, among others. This February, Google announced it had over 5 million paying businesses on its G Suite platform.
The issue stems from the way Google implemented password security in its core sign-in system. There are two different slip-ups at play here.
The first involves a G Suite feature available for IT staff since 2005. The tool, now no longer in existence, allowed them to set and recover users’ passwords via the admin console.
Google says the feature had been designed with an intent to onboard new employees, and help them sign into their accounts with passwords manually set by the admins. These passwords, according to the blog post, were not hashed.
Hashing is a standard security practice to protect user credentials by scrambling them, using a one-way encryption algorithm.
The company has a relatively good reputation when it comes to account security, so the fact this bug has been around for so long is a little disconcerting.
The second involves storing some unhashed user credentials for up to two weeks. This was discovered in January 2019 as it was troubleshooting new G Suite customer sign-ups, the search giant said.
With this latest development, Google becomes the latest company to join Facebook, GitHub, Instagram, and Twitter to suffer from embarrassing plaintext password bugs.
Back in May 2018, Twitter asked all its 330 million users to change their passwords after a bug exposed them in plaintext in an internal log. Then Facebook acknowledged earlier last March that it had been storing millions of user passwords in plaintext since 2012. A few weeks later, it expanded the scope of the security lapse to include millions of Instagram users.
Google’s case is a little different in that the passwords were eventually encrypted before they were stored on disk. This means, even if an attacker managed to get hold of your password, they would still have to unscramble it in order to gain access to your account.
A malicious interloper could theoretically use the search giant’s backend software to decrypt your password, although the scenario is extremely unlikely, as the attacker would’ve had to break into Google’s security infrastructure first without being detected.
Noting that both these security blunders have been fixed, Google urged users to make use of multi-factor authentication to thwart any account takeover attacks. It also apologized to its users for not following industry standards and promised to do better.
Industry: Cyber Security News
- Identity & Access Management (IdAM) Consultant
- Upto €100,000 plus bonus and benefits
An Identity & Access Management Consultant is needed to lead and drive technical and or business transformation projects in a client-facing position for a prestigious consultancy in Germany. The Identity & Access Management Consultant will be responsible for technical design and implementation of Identity & Access Management/IAM products within a wide variety of clients. The Identity & Access Management Consultant will have a blend of technical hands-on and client-facing consultancy with the ability to develop new business. Broad technical knowledge across Identity and access management is benefical. The Identity & Access Management Consultant will need to have technical hands-on experience with one or more of the following core areas; Privileged Access Management (PAM, CyberArk, Beyondtrust, Thycotic) Identity Governance Administration (IGA, Sailpoint, Omada, RSA) Customer Identity & Access Management (CIAM, Forgerock PSD2) The Identity & Access Management Consultant must have the willingness to travel to customer sites across Germany (once we are allowed to)
- Cyber Vulnerability and Threat Hunter, London
REF CH7915 Cyber Vulnerability and Threat Hunter, London £50,000 London To monitor and identify cyber threats and vulnerability within a public sector environment. MIRE Att&ck, CIS, OWASP, Vulnerability management tools MUST be able to commute to central London MUST be able to achieve UK SC Clearance. On going support and development. Apply today for more information or contact me directly on Chris.Holt@dclsearch.com or 07884666351
- Ping Identity Consultant
- upto €850
Looking for experienced PIng Identity Consultants, Looking for consultant with Implemenation or Architect experience in the Ping identity product set (Ping Federate, Ping Access, Ping Directory, Ping Adapter development, SDK etc) This would be for implementation projects, working across Europe. You will be responsible for providing implementation services to our clients from information gathering through to implementation. Evaluating client business, process, systems, and technology requirements and advise clients on best practices to help guide and solidify proposed designs. Manage Client expectations, Stakeholder Managment, ensuring design match business requirements this is a remote role you can be based anywher in Europe
- Ping Identity Consultant
Looking for experienced PIng Identity Consultants, Looking for consultant with Implemenation or Architect experience in the Ping identity product set (Ping Federate, Ping Access, Ping Directory, Ping Adapter development, SDK etc) This would be for implementation projects, working across Europe. You will be responsible for providing implementation services to our clients from information gathering through to implementation. Evaluating client business, process, systems, and technology requirements and advise clients on best practices to help guide and solidify proposed designs. Manage Client expectations, Stakeholder Managment, ensuring design match business requirements this is a remote role, you can be based anywhere within Europe