Google stored some G Suite passwords in unhashed form for 14 years
Google revealed that it recently discovered a bug that caused a subset of its enterprise G Suite customers to have their passwords stored in an unhashed — albeit encrypted — form for about 14 years.
“This is a G Suite issue that affects business users only — no free consumer Google accounts were affected — and we are working with enterprise administrators to ensure that their users reset their passwords,” Google said in a blog post disclosing the security lapse.
The company failed to specify exactly how many customers were affected this way. However, it went on to stress that it didn’t find any evidence of improper access.
G Suite is the company’s corporate version of Gmail and apps like Drive, Docs, and Hangouts, among others. This February, Google announced it had over 5 million paying businesses on its G Suite platform.
The issue stems from the way Google implemented password security in its core sign-in system. There are two different slip-ups at play here.
The first involves a G Suite feature available for IT staff since 2005. The tool, now no longer in existence, allowed them to set and recover users’ passwords via the admin console.
Google says the feature had been designed with an intent to onboard new employees, and help them sign into their accounts with passwords manually set by the admins. These passwords, according to the blog post, were not hashed.
Hashing is a standard security practice to protect user credentials by scrambling them, using a one-way encryption algorithm.
The company has a relatively good reputation when it comes to account security, so the fact this bug has been around for so long is a little disconcerting.
The second involves storing some unhashed user credentials for up to two weeks. This was discovered in January 2019 as it was troubleshooting new G Suite customer sign-ups, the search giant said.
With this latest development, Google becomes the latest company to join Facebook, GitHub, Instagram, and Twitter to suffer from embarrassing plaintext password bugs.
Back in May 2018, Twitter asked all its 330 million users to change their passwords after a bug exposed them in plaintext in an internal log. Then Facebook acknowledged earlier last March that it had been storing millions of user passwords in plaintext since 2012. A few weeks later, it expanded the scope of the security lapse to include millions of Instagram users.
Google’s case is a little different in that the passwords were eventually encrypted before they were stored on disk. This means, even if an attacker managed to get hold of your password, they would still have to unscramble it in order to gain access to your account.
A malicious interloper could theoretically use the search giant’s backend software to decrypt your password, although the scenario is extremely unlikely, as the attacker would’ve had to break into Google’s security infrastructure first without being detected.
Noting that both these security blunders have been fixed, Google urged users to make use of multi-factor authentication to thwart any account takeover attacks. It also apologized to its users for not following industry standards and promised to do better.
source thenextweb
Industry: Cyber Security News
Latest Jobs
-
- Senior Data Privacy Consultant. Client Facing | London
- London
- N/A
-
Senior Data Privacy Consultant. Client Facing | London Senior Data Privacy Consultant needed for a key client facing opportunity. Must be willing to undergo SC Security Clearance. Hybrid role- onsite with customer / office 2-3 days a week. London Key Responsibilities: Lead and support client facing data privacy projects. Assess compliance, define and deliver strategic projects / implement privacy solutions. Manage project teams and develop business opportunities. Required Experience: Experience in data protection and privacy standards. Background in consulting. Skills and Qualifications: Business consulting experience IAPP Privacy Manager / Privacy Technologist Location Greater London UK based role. Not able to provide VISA sponsorship.
-
- Security Analyst - Internal role. London commutable. Permanent
- London
- N/A
-
Security Analyst - Internal role. London commutable opportunity. Operational Security - Investigate, escalate and proactively work to ensure household name remains protected. Project Security - Coordinate, log change requests with project delivery teams to meet security requirements Policy / compliance - work with team to aid in uplifting these as and where needed This role is role to investigate, escalate and proactively work to protect a globally recognised brand. You must have current hands on operational analytical security experience with Microsoft technology stack Someone with a SOC Analyst / security engineering background would be well suited. This position will join a small team and would suit someone that has broad experience across the security threat landscape. Experience / knowledge across industry GRC standards such NIST, ISO27001 etc very advantageous and a priority. You will work across multiple teams proactively working to secure the business. Must be able to commute to Central London 3 days a week. Visa sponsorship not available Apply today to find out more.
-
- Network / Security Infrastructure Engineer | West London | Permanent
- London
- N/A
-
Network / Security Infrastructure Engineer | West London | Current Config, Install, upgrade experience On prem / Datacetner experience essential. Hands on experience MUST include: Routing, Switching, Network Security (firewall, IDS etc), Microsoft exchange / Exchange 365. Scripting / automation experience wanted. Python, Powershell etc Regular travel to West London is required. Visa sponsorship not available. Apply today for more information chris.holt@dclsearch.com Use this whatapp link to reach out https://wa.me/message/6USF5RAQBOZIP1
-
- SailPoint File Access Manager Consultant/ Architect
- N/A
- discussed on applications
-
SailPoint File Access Manager (SailPoint FAM) Consultant/ Architect is required for an up coming projects, Ideally looking for someone with experience in Designing and deploying SailPoint FAM , this is a new Deployment, you will work with customer in the initial workshop phase, to understand requirements and to get the initial design, you will then be responsible for deploying the solution. This is a home based role, with some onsite visits required during the length of the project. We are looking for someone who has previous experience in Deploying SailPoint FAM (ideally done design work) Need to have experience with SharePoint and ideally Azure and Share file