Google announced it had stored G Suite enterprise users’ passwords in plain text since 2005 in a Google Cloud blog post. Google has notified the G suite administrators to change the impacted passwords. The company has reset the accounts of the affected, yet they have not specified how many users were affected. Below describes how it happened and what we recommend to secure your G Suite Enterprise accounts.
Google stores the passwords on a secure encrypted infrastructure as a scrambled hashed version. Storing passwords this way prevents access to useable passwords in the event anyone got access to them. Google administrators have a tool to upload or manually set user passwords for their company’s users. This tool is meant to help onboard new users and allow users to sign in with the provided temporary password. The G Suite admin onboarding a new user has an option to turn on, “change user password on next sign on.” From the time the temporary password is assigned to a new or active g-suite user that “temp password” was stored in plain text on Google’s servers. Only Google employees had access to view these temporary passwords stored in plain text according to their post.
We recommend you enable “sign-in & recovery” to a phone number and recovery email. Also, consider setting up step up 2-step verification to sign in. This is the latest security issue from yet another big tech company. So as always we remind you to change your passwords and follow other digital security practices continually.