Google Reveals That Some G Suite Passwords Were Stored In Plaintext Since 2005

Google, one of the world’s biggest enterprise software companies, recently reported that the passwords of many of its corporate customers in a readable format. This opened them up to attacks from hackers and malicious parties.

However, Google also mentioned that only a subset of their G Suite customers were affected by this. Consumer, free Google accounts were not affected at all.

In addition, these passwords were not hashed, but were still stored in Google’s secure infrastructure for passwords. The plaintext passwords were stored for a maximum of 14 days.

Subscribe to our Newsletter

Join our editors every weekday evening as they steer you through the most significant news of the day, introduce you to fresh perspectives, and provide unexpected moments of joy
Your newsletter subscriptions are subject to AIM Privacy Policy and Terms and Conditions.

This issue has been in the system since 2005, and was caused due to a bug in one of the domain admin tools. This was the one to reset passwords. The security flaw came when the password was reset; a plaintext copy was stored by the admin console. Another copy ended up in Google’s infrastructure.

As one would guess, the plaintext password did not go through the hashing progress that makes Google’s passwords secure. Google ensured that the feature to recover lost passwords for G Suite customers no longer worked this way.

The issue was discovered in January 2019 while Google was troubleshooting sign up flows for G Suite implementations. Google’s sign in procedure is multi-fold.Every entered password is run through cryptography using a hash function to scramble the characters.

Upon the attempt to sign in to the account, the hash of the new password is checked against the stored hash to grant access to the account. This keeps the system secure, while keeping the password almost impossible to decode.

If the passwords were stored in plain text instead, an attacker could easily gain the credentials to a vast array of accounts. The unhashing functionality takes an unreasonable amount of compute and is not possible to execute in time for an attack.

The fact remains that even the plaintext passwords were stored behind many layers of security. This is the reason they were not found to be misused or accessed improperly in any way. The situation could have been worse in multiple ways. Even though this represents an incident that “did not live up to [Google’s] standards“, the passwords were not utilized to mount an attack.

Anirudh VK
I am an AI enthusiast and love keeping up with the latest events in the space. I love video games and pizza.

Download our Mobile App


AI Hackathons, Coding & Learning

Host Hackathons & Recruit Great Data Talent!

AIM Research

Pioneering advanced AI market research

Request Customised Insights & Surveys for the AI Industry


Strengthen Critical AI Skills with Trusted Corporate AI Training

Our customized corporate training program on Generative AI provides a unique opportunity to empower, retain, and advance your talent.

AIM Leaders Council

World’s Biggest Community Exclusively For Senior Executives In Data Science And Analytics.

3 Ways to Join our Community

Telegram group

Discover special offers, top stories, upcoming events, and more.

Discord Server

Stay Connected with a larger ecosystem of data science and ML Professionals

Subscribe to our Daily newsletter

Get our daily awesome stories & videos in your inbox