In a security lapse, Google stored a "subset" of business customers' G Suite passwords unhashed since 2005, said Suzanne Frey, VP of engineering, cloud trust at Google Cloud, in a blog post Tuesday. The company has thus far found no evidence of "improper access to or misuse of" the passwords, which were stored on the company's encrypted internal systems.
In a separate incident beginning in January, Google found unhashed passwords related to G Suite customer sign-up stored for a maximum of two weeks, Frey said. The company has fixed both flaws.
Google said it contacted G Suite administrators at companies affected by the password function. If an impacted company has not reset accounts, Google will do it "out of an abundance of caution."
In its role as a leading vendor and Silicon Valley giant — privacy concerns and regulatory attention aside — Google Cloud is working to set security standards for technology. The company serves as an evangelist for best practices in cybersecurity and boasts of efforts like introducing security keys to show how small changes can improve a company's risk posture.
With the password storage, for almost 15 years Google fell short of its self-imposed standards. And while no consumers were impacted, which will likely keep the company out of regulatory spotlight, it could tarnish business customer trust in Google's services.
At the root of the flaw is hashing; Google was storing some G Suite business user passwords in plaintext.
When a user sets a password on a Google account, the company usually hashes it, scrambling the exact characters to store it with a username, according to Frey. "It is simple to scramble your password, but nearly impossible to unscramble it."
If a user forgets the password, Google can only reset and offer a temporary password for an account. It can't unscramble the original password.
Google has transparency on its side. The company owned up to its mistake and apologized. But it is trying to appeal more to enterprise customers and any security mishaps are closely watched in a risk conscious industry. Experts and tool adopters keep reputation top of mind.