Google Has Stored Some Passwords in Plaintext Since 2005

Google Has Stored Some Passwords in Plaintext Since 2005

It happened again: Google announced today that it's the latest tech giant to have accidentally stored user passwords unprotected in plaintext. G Suite users, pay attention.


Google says that the bug affected "a small percentage of G Suite users," meaning it does not impact individual consumer accounts, but does affect some business and corporate accounts, which have their own risks and sensitivities. The company typically stores passwords on its servers in a cryptographically scrambled state known as a hash. But a bug in G Suite's password recovery feature for administrators caused unprotected passwords to be stored in the infrastructure of a control panel, called the admin console. Google has disabled the features that contained the bug.


Before it did so, the passwords would have been accessible to authorized Google personnel or malicious interlopers. Each organization's administrator could have also accessed the plaintext passwords for the account holders within their group.

Twitter and Facebook have dealt with plaintext password bugs of their own in the past 18 months. But where those two companies both concluded that it was unnecessary to auto-reset user passwords, Google is taking the step "out of an abundance of caution." At the time, Twitter would not comment on how long it had been storing users' passwords in plaintext. Facebook's bug dated back to 2012.

Google's bug, meanwhile, has existed since 2005—a year before "Google For Work" even became an official offering. And while the company emphasizes that it has no evidence that the plaintext passwords were ever accessed or ab ..