Google Warns G Suite Customers of Passwords Stored Unhashed

Google on Tuesday said that some customer passwords for its G Suite customers were stored in an unhashed format.

“We are writing to inform you that due to legacy functionality that enabled customer Domain Admins to view passwords, some of your users’ passwords were stored in our encrypted systems in an unhashed format,” the notice reads. “This primarily impacted system generated or admin generated passwords intended for one-time use.”

The company did not say how many accounts were impacted.

In specific notifications seen by SecurityWeek, Google said it had “reviewed the login information for the user account(s) and have found no evidence that the unhashed passwords were misused.” It is not clear if Google had discovered any misuse of unhashed passwords for other accounts. 

The tech giant said that it will force a password change on Wednesday, May 22, unless it has already been changed prior to that time.

Google provided the following password update methodology in the notice:

• Users With Single Sign On: We will reset their password by changing it to a randomly generated secure value. Please note that this will have no effect on their ability to log in using their Single Sign On credentials.

• Other Users and Super Admins: We will terminate their sessions and prompt users to change their password at their next login.

• In addition, starting Wednesday, May 29, 2019 PT we will reset the password for users that have not yet selected a new password or have not had a password reset. These users will need to follow your organization’s password recovery process. Super Admins will not be impacted. For information on password recovery options please refer to the following google warns suite customers passwords stored unhashed