The company reports it has seen improper access to, or misuse of, affected enterprise G Suite credentials.
Google this week informed a subset of enterprise G Suite users that passwords were stored unhashed in its encrypted internal systems. So far, it says, none of them have been accessed or misused.
The issue specifically affects business G Suite users. Google had previously given domain admins a tool, located in the admin console, to upload or manually set user passwords for employees. This was a commonly requested feature and helped with account recovery and bringing aboard new users. For example, they could use it to give credentials to a new employee on his or her first day. This capability has since been eliminated for password recovery, Google reports in a blog post.
"We made an error when implementing this functionality back in 2005," writes Suzanne Frey, vice president of engineering for Cloud Trust, explaining how the admin console stored copies of the unhashed password. While the passwords were stored in Google's encrypted infrastructure, she says, "this practice did not live up to our standards."
In January 2019, Google was troubleshooting G Suite customer sign-up flows when it found a subset of unhashed passwords mistakenly stored in its encrypted infrastructure. It says it has fixed the issue, alerted those affected, and is working with admins to ensure passwords are reset.
Read more details here.
About the Author(s)
You May Also Like
The fuel in the new AI race: Data
April 23, 2024Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024