Skip to main content

Google Stored Business Customers’ Unhashed Passwords

(Image credit: PixieMe / Shutterstock)

Passwords are hard to manage. People often struggle to create unique, complex passwords for every account they need to protect, and companies regularly fail to protect those passwords. Case in point: Google’s announcement on Tuesday that it stored the passwords of some G Suite users in plain text from 2005 to 2019.

Most systems automatically “hash” passwords to make them nearly indecipherable to hackers. That way if someone compromises a target system they’ll be left with a bunch of gobbledygook that most hackers couldn’t do anything with. A 2005 update to G Suite meant to help users recover their passwords accidentally stopped that hashing.

The passwords were still kept on Google’s encrypted systems, but that’s not particularly comforting, because employees might have been able to access the unhashed passwords. Hashing isn’t just supposed to stymy hackers; it’s also supposed to help protect people from the companies they’re trusting with their data.

Google said the issue only affected its business customers, so consumers shouldn’t have to rush to change their passwords. The company also notified affected customers and will automatically reset any accounts that don’t change their passwords themselves. (Pour one out for the IT departments that have to manage that kerfuffle.)

There was no indication that any of the passwords were misused, Google said, which means resetting the accounts would mostly be a precautionary measure. Hopefully it would ultimately be unnecessary, but it’s best not to assume when it comes to the security of accounts used by large companies around the world.

Hashing is a basic requirement for any company whose users rely on passwords to protect their accounts. But Google isn’t even the only tech juggernaut to fail in this regard—Facebook left up to 600 million user passwords (and millions of Instagram passwords) similarly unguarded. Even the basics of password security can be elusive.

  • mihen
    Not surprised. I never put much hope for secure systems in silicone valley.
    Reply
  • DeborahC150
    Thank you! Thank you! for writing this report at this time. I was doing research earlier this morning, regarding security features comparisons between G suite and Microsoft 365. Most of the articles preferred G Suite, but this new information opens serious questions and consideration regarding their reliability. I like the statement NOT that "only business customers were affected". The ones affected paying a bundle for being exposed!"
    Reply
  • Mandark
    hahahaha, MS has them beat by lightyears.. this is NOT surprising.
    Reply
  • DeborahC150
    I had apprehension about G Suite, and this leak definitely confirms my suspicions and apprehension. I have had enough problems with hacked Gmail accounts on the consumer side, so why should I pay them for the privilege of having 10 people opening my email?
    Reply