Google revealed that its G Suite platform has accidentally stored the users’ passwords unprotected in plaintext on the internal servers for 14 years due to a bug in the password recovery feature.
G Suite earlier known as Google Apps, is a collection of cloud computing, productivity, and collaboration tools mainly designed for corporate users with email hosting for their businesses. In short it is a business version of everything that Google provides.
The flaw which has been patched now was found in the password recovery mechanism for G Suite customers that permits the administrators to upload or manually set passwords for any user of their domain without actually knowing their previous passwords in order to help businesses with on-boarding employees and for account recovery.
Google admitted that they had made an error while implementing this functionality in 2005. When the admin resets the passwords, the admin console saves a copy of those passwords in plain text instead of encrypting them.
Google also states that the plain text passwords were stored not on the Internet but on their own secure encrypted servers. Even though any Google employee who has access to the servers could have read these passwords, the company found no evidence of anyone’s password being improperly accessed.
The bug was only restricted to users of its G Suite apps for businesses and the free version of Google accounts like Gmail were not affected by this.
The number of users affected by this has not been revealed by the company but the issue has affected a subset of the enterprise G Suite customers with more than 5 million G Suite enterprise customers. So the bug could have affected a large number of users, probably anyone who used G Suite in last 14 years.
Google has removed the capability from G Suite administrators to address this issue and the list of impacted users are emailed to the admins asking them to reset their passwords. Those users whose passwords are not changed will be automatically reset by Google.